jle.junky's Tutorial #3 (a quickie)
====================================

i just found a new strategy that changes everything for me. all the apps i had
given up on are open to me now... i'll probably write a tutorial on it soon, but
i wanted to share it with you here...

ok, the target is Handscape v1.0.1...

i had found the key test, and it would say thanks, but then it would still be
unregisterd... so, i used rsrcedit.prc on the palm emulator (you can find it at
palmblvd or somewhere) to open handscape and then look through the forms... i
found the "enter serial" form and found the id for the field that you put the
serial into. once i had found that, i did a search in the assembly code... for
the resource id, not the name, remember. so i was searching not for $aaa, but
#1502.

i found it just above the reg test:
00015328   486de2d2		                PEA	-7470(A5)
0001532c   42a7			                CLR.L	-(A7)
0001532e   4eadfae4		                JSR	-1308(A5)
00015332   b640			                CMP.W	D0,D3
00015334   4fef000e		                LEA	14(A7),A7
00015338   6628			                BNE	L2649
0001533a   206de2ec		                MOVEA.L	-7444(A5),A0

ok, here's the reg test. the compare of my serial and the right one is at
00015334. SO, i made a copy of handscape.prc, changed the line below it from
6628 to 4e48 (this makes the app break and give control to debuffer). i then
started debuffer. don't worry about all the commands and stuff, just get it
started and you'll only need one command ;->

i loaded the patched prc into the emu, and started it up. i loaded the serial
screen and typed in a serial. once i hit ok, debuffer said "ok>" meaning that we
were at a breakpoint...

in debuffer, i typed ".regs" (no quotes) and it showed me the hex values for all
the registers. D0 equaled 0019072c (decimal 1640236) and d3 equalled 00003039
(decimal was the serial i had entered!). SO. i closed debuffer, closed the
emulator, restarted the emu and loaded a clean copy of handscape. i registered
with 1640236 and it worked!

the prob here is, it only works with my palm name... pisser. SO, i looked at the
code again...
00015328   486de2d2		                PEA	-7470(A5)
0001532c   42a7			                CLR.L	-(A7)
0001532e   4eadfae4		                JSR	-1308(A5)
00015332   b640			                CMP.W	D0,D3
00015334   4fef000e		                LEA	14(A7),A7
00015338   6628			                BNE	L2649
0001533a   206de2ec		                MOVEA.L	-7444(A5),A0

hmmm, i thought, what if i put in a line that said MOVE D0, D3, copying the good
serial to the location of my bad one... SO, i found the codes for MOVE D0, D3
(2600) and then patched a clean handscape at 0001532e. i had to use 26004e71, so
that it was the same size as the instruction i was replacing, adding the 4e71
(NOP) to the end as filler.

goddamn if it didn't work!


jle.junky[pc]
jle   : http://www.jlejunky.com
mail  : mailto:jlejunky@hotmail.com23DA 2BF9                    sub edi, ecx