Cracking Tutorial : Tomb Raider - Last Revelation

Some info about the target :
Title : Tomb Raider - The last revelation (a.k.a) Tomb Raider 4
Version : Xp patched version downloaded from www.Tombraiderchronicles.com
Protection : CD check.

Cracking tools used : Ollydbg 1.10(Best Debugger)

Click on the images to view a Larger version of it.

Ok lets start cracking.
Intial steps.. run the game without CD. you'll note the following messagebox.



I read the text, and clicked on cancel. I loaded OllyDbg and opened the file "tomb4.exe", Its was disassembled and ready to be cracked.

Now I right clicked and selected "Search for > All Referenced Text strings",

A new window containing a lot of text popped up. Its called the "References" Window, I right clicked in the references window and chose "Search for text".



I typed a part of the string that the game displayed when I didnt insert the CD.. and hit enter.



I found the string.



Then I double clicked on it. That took me here.



I scrolled a few lines up and set a breakpoint on starting point of the routine at 0048E9C0. Later I realised that the check must before displaying the popup.. So I searched for conditional jumps within the routine and above the message string. I found two conditional jumps at 0048EA06 and 0048EA13. So cleared my previous breakpoint and made two breakpoints on 0048EA06 and 0048EA13.



Upon analyzing these two jumps I found out that first one will take past the message box.. so It might be the second one... there is a strange Call below the previous conditional jump and next conditional jump. That call might be the CDcheck.

Code :

0048EA04  |. 84C0           TEST AL,AL

0048EA06  |. 0F85 27040000  JNZ tomb4.0048EE33

0048EA0C  |. E8 FF51FEFF    CALL tomb4.00473C10 --> Strange Call, CD Check?

0048EA11  |. 84C0           TEST AL,AL

0048EA13  |. 75 25          JNZ SHORT tomb4.0048EA3A

Take a look at the code below the call, its checking some value returned by the call. I found out that the call returns value 01 when the disc is inserted and 00 when the disc is not in the drive. So, gotta remove the call and replace with someother code. This method is applicable to Ballance also.

So I'm gonna replace my call with MOV EAX,1. So I selected the call line and pressed space and type MOV EAX,1.

Other alternate is change the value of AL as 1.. so you gotta replace the call by MOV AL,1. Be sure to check the "Fill with NOP's",

This will also work but after modification the code will look look like this..

Code:

0048EA06  |. 0F85 27040000  JNZ tomb4.0048EE33

0048EA0C  |. B0 01          MOV AL,1

0048EA0E  |. 90             NOP

0048EA0F  |. 90             NOP

0048EA10  |. 90             NOP

0048EA11  |. 84C0           TEST AL,AL

0048EA13  |. 75 25          JNZ SHORT tomb4.0048EA3A

The call is a four byte code, since we are replacing it with a single byte code we have to fill NOP's, you'll be able to notice that there are three extra lines (NOP's), so a four bit code has to be replaced by a four byte code... thats what I like it to be.. if you dont use it wont cause any problem. I always try to avoid NOP's. So I recommend you to replace the call by 4 byte code "MOV EAX,1"

when you use MOV EAX,1 the code will look like..

Code:

0048EA06  |. 0F85 27040000  JNZ tomb4.0048EE33

0048EA0C  |. B8 01000000    MOV EAX,1

0048EA11  |. 84C0           TEST AL,AL

0048EA13  |. 75 25          JNZ SHORT tomb4.0048EA3A

In both these methods the crack will work..

Now I've changed the code only in the memory I gotta change it permanently in the exe file. So I right clicked and selected "Copy to executable > All modifications"



and I chose "copy all", a dump window popped up.. I right clicked there and I selected "Save file"



and I typed a new name for the cracked file.

Use the same method to crack Tomb raider - Chronicles XP Patched version.