Thief ver 1.33 NO CD

[Trooper1234]

what part thief is this thread written?

EDIT Oh sorry, i see now in start of post.

what programm is that on website? says "totally useful software". what makes it when i download?

[Waterdust]

Code:

http://www.mediafire.com/?jm21zxjwz4m

Hope it's still there later on, I'm not sure how long they keep these things.

========

Cowsheep - Thief.exe - No Disk X
There is no disk in the drive. Please insert a disk into the drive D:

Cancel Try Again Continue

Looks like that ^ / X = close

[Cowsheep]

Try my fixed exe:Thief_v133_D3DFixNoCD.rar

There are more ways to crack this.
Whats better Tippex: Keep call alive and hardcode result so conditional jump does what it should like i did it or nop the call to the protection routine?

[TippeX]

personally i'd have hit the protection routine to return true for the check, that way if its called indirectly later, its better

actally, it looks like there may be an ini setting 'test_copy_protect'
so check the ini file, see if thats there, its probabaly somethign like 'test_copy_protect = 1' or similar, so make it 0 (if it says TRUE then make it FALSE)
and see what happens

[Cowsheep]

I didnt found any ini setting.
Not all disc checks are proctection, some also check discs for movies if you didnr make a full install.
Why the hell i dont see the AL register in Olly under registers?
After the test_copy_protect is a test al,al, cond jump and then the same again.
Making the 2 jumps uncodtinoal causes a crash.

[TippeX]

you need to look deeper

Code:

.0060F870:  73 63 72 69-70 74 5F 6D-6F 64 75 6C-65 5F 70 61  script_module_pa
.0060F880:  74 68 00 00-6D 6F 76 69-65 5F 70 61-74 68 00 00  th  movie_path
.0060F890:  6C 61 6E 67-75 61 67 65-00 00 00 00-65 6E 67 6C  language    engl
.0060F8A0:  69 73 68 00-6E 6F 5F 63-64 5F 25 73-5F 25 73 00  ish no_cd_%s_%s
.0060F8B0:  4E 4F 20 43-44 00 00 00-74 69 74 6C-65 00 00 00  NO CD   title
.0060F8C0:  6D 73 67 00-20 2E 00 00-63 64 5F 70-61 74 68 00  msg  .  cd_path
.0060F8D0:  74 68 69 65-66 5C 73 6E-64 2E 63 72-66 00 00 00  thief\snd.crf
.0060F8E0:  72 62 00 00-72 62 00 00-63 64 5F 70-61 74 68 00  rb  rb  cd_path
.0060F8F0:  44 3A 5C 00-00 00 00 00-63 64 5F 70-61 74 68 00  D:\     cd_path
.0060F900:  44 3A 5C 00-00 00 00 00-74 65 73 74-5F 63 6F 70  D:\     test_cop
.0060F910:  79 5F 70 72-6F 74 65 63-74 00 00 00-6F 6E 6C 79  y_protect   only
.0060F920:  5F 63 68 65-63 6B 5F 70-61 74 68 00-00 00 00 00  _check_path

now x-reference the test_copy_protect_line

to do this, there's probably a thief.cfg file, or maybe thief.ini, i think its cfg though, inside that there should be a line as
'cd_path'
which probably needs to be changed to .\
and some files copied from the cd/dvd to the installation folder (most likely the movies folder)

the AL register in ollydbg is in the EAX register
EAX = 32 bit
AX = 16 bit
AH = 8 bit high
AL = 8 bit low

think you need to read up on your asm a little more..

and changing jumps is usually a bad idea, target the procedure, NOT the conditionals, because the procedures influence the conditional

Code:

.0050E8F0: 8B442404                       mov         eax,[esp][4]
.0050E8F4: 50                             push        eax
.0050E8F5: FF1528615B00                   call        GetDriveTypeA
.0050E8FB: 33C9                           xor         ecx,ecx
.0050E8FD: 83F805                         cmp         eax,5
.0050E900: 0F94C1                         setz        cl
.0050E903: 8BC1                           mov         eax,ecx
.0050E905: C3                             retn ; -^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-

is the function to determine if the drive is a cd drive, if it is it returns TRUE (1), otherwise it returns FALSE (0)

if you look above that you'll see it looking for snd.crf, and accessing the 'cd_path' variable..

x-ref that function and you'll find..

Code:

.0050E910: 8B442404                       mov         eax,[esp][4]
.0050E914: 53                             push        ebx
.0050E915: 85C0                           test        eax,eax
.0050E917: B341                           mov         bl,041 ;'A'
.0050E919: 7444                           jz         .00050E95F --↓1
.0050E91B: 8B4C240C                       mov         ecx,[esp][00C]
.0050E91F: 85C9                           test        ecx,ecx
.0050E921: 7410                           jz         .00050E933 --↓2
.0050E923: 0FBE00                         movsx       eax,b,[eax]
.0050E926: 50                             push        eax
.0050E927: E894070900                     call       .00059F0C0 --↓3
.0050E92C: 8BD8                           mov         ebx,eax
.0050E92E: 83C404                         add         esp,4
.0050E931: FEC3                           inc         bl
.0050E933: 80FB5A                         cmp         bl,05A ;'Z'
.0050E936: 7F27                           jg         .00050E95F --↓1
.0050E938: 6830F86000                     push        00060F830 ;'D:\' --↓4
.0050E93D: 881D30F86000                   mov         [00060F830],bl ;'D:\' --↓4
.0050E943: E8A8FFFFFF                     call       .00050E8F0 --↑5
.0050E948: 83C404                         add         esp,4
.0050E94B: 85C0                           test        eax,eax
.0050E94D: 7509                           jnz        .00050E958 --↓6
.0050E94F: FEC3                           inc         bl
.0050E951: 80FB5A                         cmp         bl,05A ;'Z'
.0050E954: 7EE2                           jle        .00050E938 --↑7
.0050E956: 5B                             pop         ebx
.0050E957: C3                             retn ; -^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-
.0050E958: B830F86000                     mov         eax,00060F830 ;'D:\' --↓4
.0050E95D: 5B                             pop         ebx
.0050E95E: C3                             retn ; -^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-
.0050E95F: 33C0                           xor         eax,eax
.0050E961: 5B                             pop         ebx
.0050E962: C3                             retn ; -^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-

which is the routine that validates if the drive letter is a cd/dvd drive..

x-ref that and it'll take you to..

Code:

.0050E970: 81EC04010000                   sub         esp,000000104

x-ref that and it takes you to..

Code:

.0050EB90: C705AC8E670000000000           mov         d,[000678EAC],0
.0050EB9A: E8D1FDFFFF                     call       .00050E970 --↑7
.0050EB9F: 85C0                           test        eax,eax
.0050EBA1: 7517                           jnz        .00050EBBA --↓8
.0050EBA3: 6A01                           push        1
.0050EBA5: E806FCFFFF                     call       .00050E7B0 --↑9
.0050EBAA: 83C404                         add         esp,4
.0050EBAD: 85C0                           test        eax,eax
.0050EBAF: 742A                           jz         .00050EBDB --↓A
.0050EBB1: E8BAFDFFFF                     call       .00050E970 --↑7
.0050EBB6: 85C0                           test        eax,eax
.0050EBB8: 74E9                           jz         .00050EBA3 --↑B
.0050EBBA: A1AC8E6700                     mov         eax,[000678EAC]
.0050EBBF: 85C0                           test        eax,eax
.0050EBC1: 740E                           jz         .00050EBD1 --↓C
.0050EBC3: 50                             push        eax
.0050EBC4: E897FEFFFF                     call       .00050EA60 --↑D
.0050EBC9: A1AC8E6700                     mov         eax,[000678EAC]
.0050EBCE: 83C404                         add         esp,4
.0050EBD1: 33C9                           xor         ecx,ecx
.0050EBD3: 85C0                           test        eax,eax
.0050EBD5: 0F95C1                         setnz       cl
.0050EBD8: 8BC1                           mov         eax,ecx
.0050EBDA: C3                             retn ; -^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-
.0050EBDB: 33C0                           xor         eax,eax
.0050EBDD: C3                             retn ; -^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-

x-ref that and it takes you to..

Code:

.0050EC90: 6A00                           push        0
.0050EC92: 6A00                           push        0
.0050EC94: 6808F96000                     push        00060F908 ;'test_copy_protect' --↓2
.0050EC99: E842B70300                     call       .00054A3E0 --↓3
.0050EC9E: 83C40C                         add         esp,00C
.0050ECA1: 84C0                           test        al,al
.0050ECA3: 7507                           jnz        .00050ECAC --↓4
.0050ECA5: B801000000                     mov         eax,1
.0050ECAA: EB21                           jmps       .00050ECCD --↓5
.0050ECAC: 6A00                           push        0
.0050ECAE: 6A00                           push        0
.0050ECB0: 681CF96000                     push        00060F91C ;'only_check_path' --↓6
.0050ECB5: E826B70300                     call       .00054A3E0 --↓3
.0050ECBA: 83C40C                         add         esp,00C
.0050ECBD: 84C0                           test        al,al
.0050ECBF: 7507                           jnz        .00050ECC8 --↓7
.0050ECC1: E8CAFEFFFF                     call       .00050EB90 --↑8
.0050ECC6: EB05                           jmps       .00050ECCD --↓5
.0050ECC8: E813FFFFFF                     call       .00050EBE0 --↑9
.0050ECCD: 85C0                           test        eax,eax
.0050ECCF: 7405                           jz         .00050ECD6 --↓A
.0050ECD1: E96AFBFFFF                     jmp        .00050E840 --↑B
.0050ECD6: 33C0                           xor         eax,eax
.0050ECD8: C3                             retn ; -^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-

now perhaps you see how i saw the configuration names.. which are most likely in the cfg file (or ini)...

and how if the value is 0 (i think), it'll set eax to TRUE (1) and return...
skipping the checks..

so there may be no patching required, just a simple editing of a cfg file, copying files from the cd/dvd drive to the install folder.. job done...

or do you have better ideas cowsheep?, also, without all the files the exe crashes, so debugging it without the complete files, its a bit tricky

[Cowsheep]

I modified the install.cfg already when that crack for original 1.33 (not the new D3d texture error fixed exe that came out later and was requested by thread starter)(http://m0001.gamecopyworld.com/games...ef.shtml#Thief: The Dark Project v1.33 No-CD Patch)

so it looks that way:

Code:

cd_path .\
install_path C:\Thief\
language english
resname_base C:\Thief\+C:\Thief\intrface
load_path C:\Thief\
script_module_path C:\Thief\
movie_path C:\Thief\MOVIES

Game asks for CD anyway. Coping files to hdd and edit install.cfg is not enough, there is check in exe.

I have come across about the routines you posted above, but the problem with this target are that the game reads many files by default from disc depending on the setup type you have choosen. (This files must be copied to hdd if you play without disc.)
So many cd checks are not important for the disc check that serves as protection.

Snd.crf got 117MB and seems to be some kind of archive.

CD check nag appears before the getdrivetypea with cmp eax,5 gets hit. So that one is not part of the protection, the 2 other drive checks compare the result with 1 (hdd).

You use IDA right?

Does my fix where i patched

Code:

0050EC90  /$  B8 01000000   MOV EAX,1
0050EC95  \.  C3            RETN

work for the one who asked for it?

From here the function above is called:

Code:

00415678  |.  6A 00         PUSH 0
0041567A  |.  6A 00         PUSH 0
0041567C  |.  68 7C575E00   PUSH thieffix.005E577C                   ;  ASCII "skip_starting_checks"
00415681  |.  E8 5A4D1300   CALL thieffix.0054A3E0
00415686  |.  83C4 0C       ADD ESP,0C
00415689  |.  84C0          TEST AL,AL
0041568B  |.  75 2F         JNZ SHORT thieffix.004156BC
0041568D  |.  6A 23         PUSH 23
0041568F  |.  6A 00         PUSH 0
00415691  |.  E8 9A37FFFF   CALL thieffix.00408E30
00415696  |.  83C4 08       ADD ESP,8
00415699  |.  85C0          TEST EAX,EAX
0041569B  |.  75 0B         JNZ SHORT thieffix.004156A8
0041569D  |.  50            PUSH EAX
0041569E  |.  6A 01         PUSH 1
004156A0  |.  E8 3B8E1100   CALL thieffix.0052E4E0
004156A5  |.  83C4 08       ADD ESP,8
004156A8  |>  E8 1348FFFF   CALL thieffix.00409EC0
004156AD  |.  85C0          TEST EAX,EAX
004156AF  |.  75 0B         JNZ SHORT thieffix.004156BC
004156B1  |.  50            PUSH EAX
004156B2  |.  6A 01         PUSH 1
004156B4  |.  E8 278E1100   CALL thieffix.0052E4E0
004156B9  |.  83C4 08       ADD ESP,8
004156BC  |>  E8 CF950F00   CALL thieffix.0050EC90
004156C1  |.  85C0          TEST EAX,EAX
004156C3  |.  75 0B         JNZ SHORT thieffix.004156D0
004156C5  |.  50            PUSH EAX
004156C6  |.  6A 01         PUSH 1
004156C8  |.  E8 138E1100   CALL thieffix.0052E4E0
004156CD  |.  83C4 08       ADD ESP,8
004156D0  |>  E8 EB020000   CALL thieffix.004159C0
004156D5  |.  8D5424 40     LEA EDX,DWORD PTR SS:[ESP+40]
004156D9  |.  C74424 40 030>MOV DWORD PTR SS:[ESP+40],3
004156E1  |.  52            PUSH EDX
004156E2  |.  6A 01         PUSH 1
004156E4  |.  68 94575E00   PUSH thieffix.005E5794                   ;  ASCII "display"
004156E9  |.  E8 B24C1300   CALL thieffix.0054A3A0
004156EE  |.  83C4 0C       ADD ESP,0C
004156F1  |.  BF 0E000000   MOV EDI,0E

Yepp, without game its hard.

[Waterdust]

If thats a no cd patch you posted in that rar I'll give it a shot, aslo I don't recall needing
to run a patch on my thief 1- 1.33 install to update it so yeah I believe its a direct 1.33.
oh and also I don't recall needing to fix any Direct3D texture errors thus far.

I'll give it a shot now but on a side note.. *looks at code discussion* ok so maybe I was
wrong when I thought it would be a simple matter of making a no cd patch lol.. jk you
guys are prolly l33t at that stuff an do so in your sleep =p but ya wow @ code talk stuff.

<-- has almost no programming skillz but can read/understand where the discussion is
going somewhat.

*zips up to test the file now*

PS: I searched my install for an ini file which isn't there but several cfg files DO exist and
a movie folder, let me know if you need a screenshot if the install dir.

----------

Edit: However I did need to change the affinity to cpu 0 to keep the game running
originally it seems your patch/fix from the rar comes with the affinity preset which is
very nice ^.^, so far it appears to run fine, I'll have to give it a few levels for my own
personal stability test but so far so good though I don't expect this to fail ultimately
considering the skillz at hand involved =p.

Oh ya if I wasn't clear the game loads up without the cd =p.
I'll post again tomorrow sometime when I get home.

Thanks in advance, if you feel personally confident you should post the patch up
on the net to prevent this nightmare from ever re-raising itself from the dead =p

PSS: I won't go posting the fix on the net as thats not my job so you know,
especially without having a readme that credits those involved properly =)

=========

New Edit: So I loaded a game save that went well, took a few hits died all good.
Then I tried to start a new game with training and the game crashed. Tried again
without the training same thing crash. Hmm.. where to go from here..

Maybe I should mention I run this from F:\Games\Thief\Thief.exe
(Yeah I renamed the patch exe to that but even without renaming it
the error/crash persists.)

Faulting application thief.exe, version 1.9.0.0, faulting module thief.exe,
version 1.9.0.0, fault address 0x001203aa.

0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 74 68 69 ure thi
0018: 65 66 2e 65 78 65 20 31 ef.exe 1
0020: 2e 39 2e 30 2e 30 20 69 .9.0.0 i
0028: 6e 20 74 68 69 65 66 2e n thief.
0030: 65 78 65 20 31 2e 39 2e exe 1.9.
0038: 30 2e 30 20 61 74 20 6f 0.0 at o
0040: 66 66 73 65 74 20 30 30 ffset 00
0048: 31 32 30 33 61 61 0d 0a 1203aa..

&

Faulting application thieffixed.exe, version 1.9.0.0, faulting module thieffixed.exe,
version 1.9.0.0, fault address 0x001203aa.

0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 74 68 69 ure thi
0018: 65 66 66 69 78 65 64 2e effixed.
0020: 65 78 65 20 31 2e 39 2e exe 1.9.
0028: 30 2e 30 20 69 6e 20 74 0.0 in t
0030: 68 69 65 66 66 69 78 65 hieffixe
0038: 64 2e 65 78 65 20 31 2e d.exe 1.
0040: 39 2e 30 2e 30 20 61 74 9.0.0 at
0048: 20 6f 66 66 73 65 74 20 offset
0050: 30 30 31 32 30 33 61 61 001203aa
0058: 0d 0a ..

If you need more error reports let me know.

[Cowsheep]

Install the game - Complete HD installation of Thief.
Apply the Thief: The Dark Project v1.33 Update.
(The patch updates multiple files, cracked exe is not enough, you must install whole patch 1.33 before using any crack.)
Copy the complete contents of the \THIEF\MOVIES directory from the CD to the Thief movie directory (e.g. C:\GAMES\THIEF\MOVIES).
Important: Copy intrface.crf from the Thief base directory
(e.g. C:\GAMES\THIEF) to the \THIEF\INTRFACE directory
(e.g. C:\GAMES\THIEF\INTRFACE) which has been generated by the update patch.

Open install.cfg and place that there (paths must be adjusted ofcourse)

Code:

cd_path .\
install_path C:\Thief\
language english
resname_base C:\Thief\+C:\Thief\intrface
load_path C:\Thief\
script_module_path C:\Thief\
movie_path C:\Thief\MOVIES

For the CPU issues:http://www.saleck.net/Games/Thief1-G...rking.php#ProA

My crack based on the "thief new exe" there.

[TippeX]

maybe add in
test_copy_protect 0
into the cfg like i mentioned
or maybe you just need the
test_copy_protect
line.. either way, experiment, cos im not so sure the exe needs to be patched, there's definately code there to bypass the disk check.

for multi core cpu's just use the oneprocessorlaunch tool i wrote.. does the job fine, works for other games too.

[Cowsheep]

There is also a dark.cfg and a cam.cfg besides the install.cfg.
I pasted test_copy_protect (or test_copy_protect 1 or test_copy_protect 0), but no success.

Any plans for a gui for making a gui or frontend for your oneprocessorlaunch tool?
It works with console parameters fine for me, anyway.

[TippeX]

yeh i plan many things for oneprocessorlaunch, and new protection id release is due soon too, once i have some free time (got a lot of personal real life stuff to deal with at the moment) i'll be updating both, gui for oneprocessorlaunch (and context menus) and beginning protection id 7 with a dual x32 and x64 asm compile build system

as/when those appear is anyones guess though..

[Waterdust]

How does one patch a game that comes fully updated direct from the cd??
Furthermore it IS a full install or so that's what it said when I installed it.


Edit: I see all the movie files aren't in the folder to begin with, moving those now,

dark.cfg & cam.cfg & install.cfg - already in the main dir, however no INTRFACE dir
exists as no patch can be applied since its already updated from the first install.


When I tried to run the 1.33 patch anyways this happened.

"Error: Wrong version."
"Cannot patch this version of the game."
"This patch expects version 1.14 to be the installed version."
"The version currently installed is 1.33"

If for some reason this is unbelievable I can prove it comes as 1.33 from the disk.

-----------

Edit 2: When making the dir that was missing myself and copying over the crf file
into it manually from the cd and running your fix the following error happened.

Thief.exe - No Disk
There is no disk in the drive. Please insert a disk into the drive D:
Cancel - Try Again - Continue

I hit continue 3x and then..

Faulting application thief.exe, version 1.9.0.0, faulting module thief.exe,
version 1.9.0.0, fault address 0x001203aa.

0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 74 68 69 ure thi
0018: 65 66 2e 65 78 65 20 31 ef.exe 1
0020: 2e 39 2e 30 2e 30 20 69 .9.0.0 i
0028: 6e 20 74 68 69 65 66 2e n thief.
0030: 65 78 65 20 31 2e 39 2e exe 1.9.
0038: 30 2e 30 20 61 74 20 6f 0.0 at o
0040: 66 66 73 65 74 20 30 30 ffset 00
0048: 31 32 30 33 61 61 0d 0a 1203aa..


When ran with the normal fix you provided un-renamed the above happens again with this error data.

Faulting application thieffixed.exe, version 1.9.0.0, faulting module thieffixed.exe,
version 1.9.0.0, fault address 0x001203aa.

0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 74 68 69 ure thi
0018: 65 66 66 69 78 65 64 2e effixed.
0020: 65 78 65 20 31 2e 39 2e exe 1.9.
0028: 30 2e 30 20 69 6e 20 74 0.0 in t
0030: 68 69 65 66 66 69 78 65 hieffixe
0038: 64 2e 65 78 65 20 31 2e d.exe 1.
0040: 39 2e 30 2e 30 20 61 74 9.0.0 at
0048: 20 6f 66 66 73 65 74 20 offset
0050: 30 30 31 32 30 33 61 61 001203aa
0058: 0d 0a ..

[DABhand]

Your thief was a remastered version, which was sold for cheaper way after its initial release, like a budget release of it, so it came with latest patch.

[Waterdust]

Prolly.. just waiting on them atm to get back to me.