Target game: Microshaft's NBA Full Court Press I'm sorry all you microshaft haters (incl. me)... but I didn't have a choice...=/ Toolz used: W32Dasm v8.93 & Hiew 6.16 (Regedit Extensions... not necessary) Some preparing hints: Assuming u have mp3z on your harddrive (or cd), start your fav mp3 player and load your fav songs.. ye won't get so bored whilst readin' and patchin'...=) This piece of text expanded quite a bit.. don't read it all at once =) Hopefully u'll understand me from most of the parts..my english suxs..and so does my knowledge of asm...but hopefully u still learn something..(I did..) Step 1. Start with install of course. Make a full install, and after it's done, goto the CD and copy every file under the directory "Bot" to your harddrive (of course u have to put the into the dir "Bot" under where u installed nba).. if u did everything correctly the nba folder size should be about 450 megs... Step 2. Make a backup of Nba_fcp.exe (that's how it's named in my version.. dunno if it's different in some other versions) and load it onto W32Dasm. Next we wanna of course find the spot where to place the patch, so grab the CD outta drive and start the game. "Insert ...", typical message.. argh... can't they come up with anything else?..borin' ..But anywayz.. u should be able to find the right place using search or Strn Refs... found it already?.. g00d .. * Possible StringData Ref from Data Obj ->"name811" | :004409A5 68A8D94F00 push 004FD9A8 :004409AA E821E60600 call 004AEFD0 :004409AF 83C404 add esp, 00000004 :004409B2 50 push eax :004409B3 E808D50700 call 004BDEC0 :004409B8 83C408 add esp, 00000008 :004409BB 8945E4 mov dword ptr [ebp-1C], eax :004409BE 85C0 test eax, eax :004409C0 740B je 004409CD :004409C2 50 push eax :004409C3 E888D20700 call 004BDC50 :004409C8 83C404 add esp, 00000004 :004409CB EB49 jmp 00440A16 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004409C0(C) <-- * | :004409CD 8D4DDC lea ecx, dword ptr [ebp-24] :004409D0 E84F400900 call 004D4A24 :004409D5 C645FC04 mov [ebp-04], 04 :004409D9 8D4DE8 lea ecx, dword ptr [ebp-18] :004409DC E843400900 call 004D4A24 * Possible Reference to String Resource ID=03153: "Insert the Microsoft NBA Full Court Press CD to start the ga" hmm... doesn't that text look familiar?.. arghh... yes it does... Ok.. let's get start with patching... the quick look over the code reveals sumfin'... (not much but somethin'.. hmm.. I must be learning...)... if you've done some cracking before u probably guessed where to start.. u could start by noticing referenced jump* ... if u look closesly enough u should notice that following the jump will only go up a bit.. so head over there... (note that asm code below is the same as the one above... I just cut the lower part) * Possible StringData Ref from Data Obj ->"name811" | :004409A5 68A8D94F00 push 004FD9A8 :004409AA E821E60600 call 004AEFD0 :004409AF 83C404 add esp, 00000004 :004409B2 50 push eax :004409B3 E808D50700 call 004BDEC0 <-- what's this... :004409B8 83C408 add esp, 00000008 :004409BB 8945E4 mov dword ptr [ebp-1C], eax :004409BE 85C0 test eax, eax <-- hmm.. test eax..does it match? :004409C0 740B je 004409CD <-- yes.. then jump* :004409C2 50 push eax :004409C3 E888D20700 call 004BDC50 <--... and this? :004409C8 83C404 add esp, 00000004 :004409CB EB49 jmp 00440A16 Hmm.. At this point I thought "Whoa.. this one's very ez..".. but I made a mistake..hmph...=) If u try to patch the jump* and start the game, you'll only get gpf (general protection fault). So that's not the right place...(although there's a solution here already...*g*)... so.. again scroll a tiny bit up 'til u see this... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00440A1A(C) <-- geez..this looks nice.. | * Possible StringData Ref from Data Obj ->"r" | :004409A0 681CD14F00 push 004FD11C Nothing much here to do... follow the jump... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004409CB(U) | :00440A16 837DE400 cmp dword ptr [ebp-1C], 00000000 <-- compare..00=fail,01=pass :00440A1A 7484 je 004409A0 <-- this' the jumpie... :00440A1C 68002D3101 push 01312D00 * Possible Reference to String Resource ID=00002: "Celtics" Whoa.. now it seems like we're getting sumwhere.. and yes.. this is a good place to put our patch.. like u should've guessed there's two ways to pass the check at this point... 1. Change cmp to 1 2. Reverse the jump (or NOP it) Choose whichever way u want... This section is only for those who don't know how to patch the check.. advanced ppl go on... In W32Dasm.. move the line over the jump location (but don't jump) and it should turn into green .. now if u look lower part of w32dasm u see @Offset 0003FE1Ah... take the number part only (leave the "h" out.. it only means hex). Now start Hiew and load the .exe on it. Press Enter two times, then F5 and enter the number. If u succeeded, press F3 and make following change(s) 1. 837DE400 -> 837DE40|1| 2. 7484 -> 7|5|84 or 9090 After done with modifications, press F9 and ESC to quit Hiew ok... assuming u've made the change, try starting NBA and if everything went ok (don't mind the nag that still complains about the cd, just press ok) the game should start... but now if u try to start a single game or whatever, u probably get an error message relating to some of the .Bot files.. now u have to modify a bit your Registry (u should know what it is..if u dont.. ask sum1). Goto Registry and type a search String (I used NBA).. it takes awhile to find the right place (ignore everything else..u know when u're in right plaza...) U should see something like this (I won't type it all here...) AVIPath "blah blah" CDPath "blah blah" HDPath eg."c:\games\nba" etc.. Wherever there's some sort of Path mentioned or Dir.. change it to equal to the drive where u installed nba (eg. c:).. AVIPath "C:" CDPath "C:" HDPath "C:" (not necessary.. leave it untouched if u wish..) Every Path related to the installation directory can be leaved untouched.. Edit every path to "C:" or corresponding and start the game... does it work?.. Yes it does (works on my cpu... don't come complaining to me if you've made any mistakes..=) Ok.. this should do it.. U've cracked the game... (Not in the cleanest way.. but still).. Every perfectionist will probably be asking "How to crack the game so that the nag won't show up) .. hmm.. I thought "Whatta hell... If ppl want it.. I'll give it.." Uc'n stop reading at this point if u want..I'll only show the other way.. ------------------------------------------------------------------------------------------------ Let's move back to start (and assuming u've replaced the modified .exe with the backup...) * Possible StringData Ref from Data Obj ->"name811" | :004409A5 68A8D94F00 push 004FD9A8 :004409AA E821E60600 call 004AEFD0 :004409AF 83C404 add esp, 00000004 :004409B2 50 push eax :004409B3 E808D50700 call 004BDEC0 <-- remember these... :004409B8 83C408 add esp, 00000008 :004409BB 8945E4 mov dword ptr [ebp-1C], eax :004409BE 85C0 test eax, eax :004409C0 740B je 004409CD :004409C2 50 push eax :004409C3 E888D20700 call 004BDC50 <-- two calls...? U should... :004409C8 83C404 add esp, 00000004 :004409CB EB49 jmp 00440A16 This is the same code as in the beginning of this .txt... Ok.. the secret of patchin this "cleanly" lies beneath these two calls..I bet u know what to do with them.. mov eax, 00000001 ...both of 'em.. (arghh.. my hands are cramping at this point) If u replace only the first.. u'll get gpf (dunno why exactly..?)..if only the last.. the nag's still there.... that's why u have to take both of 'em...(dont ask me why.. at this point the asm code beat my knowledge of it...)... after you're done with mov(ing) them.. make the same registry modfs as shown few lines back... and now u should have "Clean" crack..=) - Microshaft's ABN (Anal Bear Nuggets) was krakked by C_DKnight hmm... if some of u still remember me.. I'm the same person as mr. Cloud [StarGazer]... Greetz: go out to tKC (for publishing my tutz.. thx billion times..=), dAvId/nightmare for his excellent tuts.. plus every cracker who's written at least one tut.. plus the great gurus Beowulf, Grudge, Sun-Tzu, G-Rom etc.. there are too many of them..=)..U rule.. c_dknight@iobox.com This phile was written on 24th of October 1999... uses crackers and babies.