ÜÜÛÛ²ÜÜ ° ܲ²ßß ßß²²ÜÜ þ ß Ü ± Üܲ²Ü Ü Üß ÜÜÜÛÛÛÛÜÜÜ ßÛ²Ü ß Ü² þßßßßßÛÛ²²Ü Üß ß Ü ß ÜÛÛ²²ÛÛÛÛÛÛÛÛÜ ßÛÛ ° ° °°±±²²²ÛÛÛÛÛÜÜÜ ßßÛÛÜ ÞÝ ÜÛÛßß ßÛÛÛ²ÛÛ ÞÛÛÜ Ü ÜÛÛÛÛ²ÛÛÛÛÛÛÛÛÜ ß²²ß ßÜ Üßß Ü °° ÞÛ²²²ÛÝ Ûß ÞÛÛÛßßÛÛÛÛÛÛÛÛÛ²Û ß ß ÜÜÜÛÛ ÛÛÛ²ÛÛÛ ß Ü ÜÛÛÛÝ Þ²ÛÛÛÛÛ²²²²±±°° ° ° þ ÜÜÜÜÛÛÛÛÛ²²ÛÝ ÛÜÜÛÛÛÛÛÛÛÝ ß ßÛ²ÛÛÛ ß²ÛÛÛÛßß²ß ÜÜ ßÜ ß²²ÛÛÛ²²²²ÛÝ Û²²ÛÛÛÛÛÛ²Û Ü ° °° Ü ß²²Û ßß ÜÜ ± ܲ²ß Þ²Ü ÛÛÛÛÛÛ²²²ÝÛÛ²ÛÛÛÛÛÛÛß ° ° ° ÛÛÜ ß²Ý Ü²Û²ß ° Þß ²ÛÛÛÝÞÛÛÛÛÛÛ²²Ý ßÛÛÛ²²ßß Þ²ÛÛÛ ß ß²ß ° ° °°±±²²²ÛÛ ÛÛÛÛÛÛ²²Û ²²²ÛÛÝ ±²²ÛÛÛ Û²ÛÛÛÛÛ²²Ý °°°°° ° ° ß²²ß Ü ÜÛ²Ü ± ²ß Û²ÛÛÛÛÛÛ²Û °°° ° ° ß Ü ± ܲ Ü ° ßÛÛÛ²Ü ° ° Þ²²ÛÛÛÛÛÛÛ²ÛÜ ° ° ÞÛ²ÜÜÛ²Ý ß²ß°°°° ÞÛ²²²ß ß °°°° ° ܲ²ÛÛÛÛÛßßßßßßß ° °°°±±²²²ÛÛÛÝ ° ÜÛÛ²²ÛÜÜ ° ÜÜÛ²Ûßßß Ü²ÛÜÜ ± ßÛÛÛÜ Ü²ßß ßßß²ÜÜ Üþßß ßÛ²²ÛÛÜ ° ß²ÛÛÜÜßß Üþ ß ß Ü Ü Ü þ Ü ßß²ÛÛÜ Þ²²ß ° ÞÝ °° ÞÝ ÞÝ ß Ü ß ßßÜ ° Üß ° °°° ßÜ Û ßÜ ß ÞÛÜ [cH]ÞÛ ß Ü ß ° ß Ü ß þ Ü þß Ü²ß ßß Ü þß ------------------------------------------------------------------------------ Welcome to my first tutorial for PC98. I hope that I by writing this can help a lot of newbies :-) Well as you probably already noticed (from the NFO), this tutorial is about * MoreSpace '95 29b * To follow this tutorial step-by-step you need W32Dasm, and a HEX-editor! And remember *ALWAYS* to make a BACKUP !! I can *NOT* be held responsible if you have to re-download the program, make a lowlevel format, need new hardware, or whatever you might mess up ! I would also like to say that this is *NOT* the only way of patching it, but I think it's kinda the easiest..at least i hope ;) Well, after jelling at ya, i hope you enjoy it...have fun ! Are you ready¨ Well let's go! 1. Run the program and look for nags/limitations...so you see any¨ Sure you do. When you try to select more than one drive, you get this: *Select multiple drives in registered version only* This sucks, so we decide to remove this annoying message. 2. You launch W32Dasm and disassemble MORESPAC.EXE. It's kinda big, so sit back and relax....is it done¨ Cool ! Now you chose STRING DATA REFERENCE, to see what's really inside the prog. There you scroll down a couple of pages, till you find the message! Do you remember the message¨ Sure you do cause it's mentioned above ;) 3. Doubleclick on the message, and close the SDR window. By double-clicking more than once on the message you'll see that there are more references.. but no matter which of the references you see, you always notice the CALL 0043BB50 just above the reference...since it's there all the time, and it's the last CALL, that seems like something we have to mess with.. Here's what you should see: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004D52B6(C) | :004D52CE 8B877C020000 mov eax, dword ptr [edi+0000027C] :004D52D4 B101 mov cl, 01 :004D52D6 8B157CAC4F00 mov edx, dword ptr [004FAC7C] :004D52DC E86F68F6FF call 0043BB50 ; interesting * Possible StringData Ref from Code Obj ->"Select multiple drives in registered" ->"version only" | :004D52E1 B860534D00 mov eax, 004D5360 :004D52E6 E889C2FAFF call 00481574 ; interesting :004D52EB EB42 jmp 004D532F Two CALL's..the first which shows the messagebox, and the second which disables your selection..i think we'd better change both. ;) 4. Now, after reading what i just told, you already know what to do..or¨ Sure you do..you need to enter these CALL's, and to do that place the green line on the line: :004D52DC E86F68F6FF CALL 0043BB50 and press the right arrow. Now you should be in the CALL and see the following: * Referenced by a CALL at Addresses: |:004C67A3 , :004C6C81 , :004C6CC5 , :004C6D09 , :004C6D4D |:004CD5E3 , :004CFCE5 , :004CFD29 , :004D52C5 , :004D52DC |:004D5541 , :004D5564 , :004DDB89 , :004DDBA2 , :004DFDFE |:004E1DF5 , :004E1E0E , :004E1FCA , :004E2002 , :004F600D |:004F6026 | :0043BB50 55 push ebp :0043BB51 8BEC mov ebp, esp :0043BB53 83C4F4 add esp, FFFFFFF4 :0043BB56 53 push ebx :0043BB57 56 push esi :0043BB58 57 push edi :0043BB59 33DB xor ebx, ebx :0043BB5B 895DF4 mov dword ptr [ebp-0C], ebx :0043BB5E 8BD9 mov ebx, ecx :0043BB60 8BF2 mov esi, edx :0043BB62 8BF8 mov edi, eax :0043BB64 33C0 xor eax, eax :0043BB66 55 push ebp :0043BB67 68D1BB4300 push 0043BBD1 :0043BB6C 64FF30 push dword ptr fs:[eax] :0043BB6F 648920 mov dword ptr fs:[eax], esp :0043BB72 56 push esi :0043BB73 33C0 xor eax, eax :0043BB75 8AC3 mov al, bl :0043BB77 50 push eax :0043BB78 6885010000 push 00000185 :0043BB7D 8BC7 mov eax, edi :0043BB7F E800A9FEFF call 00426484 :0043BB84 50 push eax 5. Hmm...seems like this code makes a message which we don't like..and that it's called from a lot of places. Then you think: "Then i just NOP (=90) all the references and that should be it", and you're probably right, but it's a sloooowwww, way of doing it, and since I'm lazy I don't wanna do it slow. "Then what¨", you say..well since this CALL is called by several references it would be smartest to change something inside the CALL. "But what¨....", well since we know that when this CALL has been executed, we return to the reference, we might just as well skip all the lines that call the messagebox. That you do by changing the line *:0043BB50 55 PUSH EBP* to RETN (=C3). This will make the CALL return when it's called, as if it has already shown the messagebox. 6. To see where to change the 55 to C3, you make sure the green line is on the line, and look at the bottom of the W32Dasm window, where you'll see: @Offset 0003AF50h Now we need to enter the second CALL (remember¨)! This call looks like this: * Referenced by a CALL at Addresses: |:00482FAC , :00482FCA , :00483610 , :0048361C , :004C0121 |:004C01B8 , :004C9DBA , :004C9DFC , :004CE2C5 , :004CE38D |:004CE491 , :004CE555 , :004CF6A9 , :004D06C0 , :004D08C5 |:004D0B60 , :004D0CAA , :004D52E6 , :004DDBAC , :004E1E18 |:004EB1FE , :004EC2CE , :004F6030 | :00481574 55 push ebp :00481575 8BEC mov ebp, esp :00481577 51 push ecx :00481578 8945FC mov dword ptr [ebp-04], eax :0048157B 8B45FC mov eax, dword ptr [ebp-04] :0048157E E8F129F8FF call 00403F74 :00481583 33C0 xor eax, eax :00481585 55 push ebp :00481586 68BA154800 push 004815BA :0048158B 64FF30 push dword ptr fs:[eax] :0048158E 648920 mov dword ptr fs:[eax], esp :00481591 6A00 push 00000000 :00481593 668B0DC4154800 mov cx, word ptr [004815C4] :0048159A B202 mov dl, 02 :0048159C 8B45FC mov eax, dword ptr [ebp-04] :0048159F E8C018FCFF call 00442E64 :004815A4 33C0 xor eax, eax :004815A6 5A pop edx :004815A7 59 pop ecx :004815A8 59 pop ecx :004815A9 648910 mov dword ptr fs:[eax], edx :004815AC 68C1154800 push 004815C1 Actually it looks as the first CALL, so let's just try to do the same to both CALL's! Again you place the green line on the *:00481574 55 PUSH EBP* and see: @Offset: 00080974h 7. But that's not all..if you once again open the SDR window, and scroll down you'll notice a line saying: *UNREGISTERED VERSION*, WE DON'T LIKE THAT !!! Doubleclick on the line and you should see this: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0048A072(U) | :0048A08D E87E490600 call 004EEA10 ; a call..hmm :0048A092 84C0 test al, al :0048A094 7534 jne 0048A0CA ; Sounds suspicious.... * Possible StringData Ref from Code Obj ->"UNREGISTERED VERSION" | :0048A096 BAD0A24800 mov edx, 0048A2D0 :0048A09B 8D8520FEFFFF lea eax, dword ptr [ebp+FFFFFE20] :0048A0A1 E8AEA0F7FF call 00404154 :0048A0A6 E8F8B4F7FF call 004055A3 :0048A0AB E8C486F7FF call 00402774 8. Doesn't that the line: *:0048A094 7534 jne 0048A0CA*, sound suspicious¨ (JNE=JUMP IF NOT EQUAL)...."Well, let's change it", you say..ok let's try! Let's try changing JNE to JMPS (75 -> EB). So once again you place the green line on the line, and notice the offset at the bottom..which is: @Offset 00089494h 9. Now we have three things to change...but is that all¿ Well it could be, so we might as well try it. 10.Launch your favorite HEX-editor, and change the offset's! (For HIEW-users I will explain how to change it) Launch HIEW MORESPAC.EXE Press F4 and goto decode-mode. Here you press F5 and type in the first offset: 0003AF50h Press F3, and type C3 Press F9 to update your changes. Now you remember that we have three places to patch, so... Press F5 again, and type in the second offset : 00080974h Press F3, and type C3 Press F9 to update your changes. To patch the...no i think you figured it out..just remember to press F9 after the final change. Quit HIEW, and launch the program... 11.Do you see the messagebox¨ Do you see your selection is being removed¨ Do you (when setting the date a year forward) see the NAG¨ Well i don't, so i guess you don't either.. ;) The program is now cracked, and ready to run UNLIMITED for ever ;) That's all for now..hope to see ya all soon, in my next tutorial..