                          ۲                   
                       ܲ   ߲                 ܲ
                      ۲           ܲ  ۲
                 ۲       
                       ۲        ۲ ߲
                       ۲         ۲
                        ۲          ޲۲   
           ۲         ۲    ߲߲  
           ߲۲ ۲۲      ߲         ܲ
          ޲  ۲۲        ߲    ܲ۲   
          ۲ ۲           ޲     ߲
     ۲                    
          ۲۲             ߲         ۲
             ۲۲                ܲ       ۲     
              ޲۲              ۲۲  ߲߰ ۲   
              ܲ                  ۲   
          ۲        ܲ                      ܲ    ߲
                      ۲                 ߲             
                         ߲                 ޲               
                                                           
                          [cH]                               
                      ܲ             
------------------------------------------------------------------------------

Welcome to my first tutorial for PC98. I hope that I by writing this can help
a lot of newbies :-)

Well as you probably already noticed (from the NFO), this tutorial is about 
                            * MoreSpace '95 29b * 

To follow this tutorial step-by-step you need W32Dasm, and a HEX-editor!
And remember *ALWAYS* to make a BACKUP !! I can *NOT* be held responsible if
you have to re-download the program, make a lowlevel format, need new hardware,
or whatever you might mess up !

I would also like to say that this is *NOT* the only way of patching it, but
I think it's kinda the easiest..at least i hope ;)



Well, after jelling at ya, i hope you enjoy it...have fun !

Are you ready Well let's go!

1. Run the program and look for nags/limitations...so you see any
   Sure you do. When you try to select more than one drive, you get this:
          *Select multiple drives in registered version only*
   This sucks, so we decide to remove this annoying message.

2. You launch W32Dasm and disassemble MORESPAC.EXE. It's kinda big, so sit
   back and relax....is it done Cool !
   Now you chose STRING DATA REFERENCE, to see what's really inside the prog.
   There you scroll down a couple of pages, till you find the message!
   Do you remember the message Sure you do cause it's mentioned above ;)

3. Doubleclick on the message, and close the SDR window. By double-clicking
   more than once on the message you'll see that there are more references..
   but no matter which of the references you see, you always notice the
   CALL 0043BB50 just above the reference...since it's there all the time, 
   and it's the last CALL, that seems like something we have to mess with..
   Here's what you should see:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D52B6(C)
|
:004D52CE 8B877C020000            mov eax, dword ptr [edi+0000027C]
:004D52D4 B101                    mov cl, 01
:004D52D6 8B157CAC4F00            mov edx, dword ptr [004FAC7C]
:004D52DC E86F68F6FF              call 0043BB50            ; interesting

* Possible StringData Ref from Code Obj ->"Select multiple drives in registered"
                                        ->"version only"
                                  |
:004D52E1 B860534D00              mov eax, 004D5360
:004D52E6 E889C2FAFF              call 00481574            ; interesting
:004D52EB EB42                    jmp 004D532F

   Two CALL's..the first which shows the messagebox, and the second which
   disables your selection..i think we'd better change both. ;)


4. Now, after reading what i just told, you already know what to do..or
   Sure you do..you need to enter these CALL's, and to do that place the green
   line on the line:  :004D52DC E86F68F6FF CALL 0043BB50  and press the right
   arrow. Now you should be in the CALL and see the following:

* Referenced by a CALL at Addresses:
|:004C67A3   , :004C6C81   , :004C6CC5   , :004C6D09   , :004C6D4D   
|:004CD5E3   , :004CFCE5   , :004CFD29   , :004D52C5   , :004D52DC   
|:004D5541   , :004D5564   , :004DDB89   , :004DDBA2   , :004DFDFE   
|:004E1DF5   , :004E1E0E   , :004E1FCA   , :004E2002   , :004F600D   
|:004F6026   
|
:0043BB50 55                      push ebp
:0043BB51 8BEC                    mov ebp, esp
:0043BB53 83C4F4                  add esp, FFFFFFF4
:0043BB56 53                      push ebx
:0043BB57 56                      push esi
:0043BB58 57                      push edi
:0043BB59 33DB                    xor ebx, ebx
:0043BB5B 895DF4                  mov dword ptr [ebp-0C], ebx
:0043BB5E 8BD9                    mov ebx, ecx
:0043BB60 8BF2                    mov esi, edx
:0043BB62 8BF8                    mov edi, eax
:0043BB64 33C0                    xor eax, eax
:0043BB66 55                      push ebp
:0043BB67 68D1BB4300              push 0043BBD1
:0043BB6C 64FF30                  push dword ptr fs:[eax]
:0043BB6F 648920                  mov dword ptr fs:[eax], esp
:0043BB72 56                      push esi
:0043BB73 33C0                    xor eax, eax
:0043BB75 8AC3                    mov al, bl
:0043BB77 50                      push eax
:0043BB78 6885010000              push 00000185
:0043BB7D 8BC7                    mov eax, edi
:0043BB7F E800A9FEFF              call 00426484
:0043BB84 50                      push eax


5. Hmm...seems like this code makes a message which we don't like..and that
   it's called from a lot of places. Then you think: "Then i just NOP (=90)
   all the references and that should be it", and you're probably right, but
   it's a sloooowwww, way of doing it, and since I'm lazy I don't wanna do
   it slow. "Then what", you say..well since this CALL is called by several
   references it would be smartest to change something inside the CALL.
   "But what....", well since we know that when this CALL has been executed,
   we return to the reference, we might just as well skip all the lines that
   call the messagebox. That you do by changing the line
                         *:0043BB50 55 PUSH EBP*
   to RETN (=C3). This will make the CALL return when it's called, as if it
   has already shown the messagebox.


6. To see where to change the 55 to C3, you make sure the green line is on the
   line, and look at the bottom of the W32Dasm window, where you'll see:
   @Offset 0003AF50h
   Now we need to enter the second CALL (remember)!
   This call looks like this:

* Referenced by a CALL at Addresses:
|:00482FAC   , :00482FCA   , :00483610   , :0048361C   , :004C0121   
|:004C01B8   , :004C9DBA   , :004C9DFC   , :004CE2C5   , :004CE38D   
|:004CE491   , :004CE555   , :004CF6A9   , :004D06C0   , :004D08C5   
|:004D0B60   , :004D0CAA   , :004D52E6   , :004DDBAC   , :004E1E18   
|:004EB1FE   , :004EC2CE   , :004F6030   
|
:00481574 55                      push ebp
:00481575 8BEC                    mov ebp, esp
:00481577 51                      push ecx
:00481578 8945FC                  mov dword ptr [ebp-04], eax
:0048157B 8B45FC                  mov eax, dword ptr [ebp-04]
:0048157E E8F129F8FF              call 00403F74
:00481583 33C0                    xor eax, eax
:00481585 55                      push ebp
:00481586 68BA154800              push 004815BA
:0048158B 64FF30                  push dword ptr fs:[eax]
:0048158E 648920                  mov dword ptr fs:[eax], esp
:00481591 6A00                    push 00000000
:00481593 668B0DC4154800          mov cx, word ptr [004815C4]
:0048159A B202                    mov dl, 02
:0048159C 8B45FC                  mov eax, dword ptr [ebp-04]
:0048159F E8C018FCFF              call 00442E64
:004815A4 33C0                    xor eax, eax
:004815A6 5A                      pop edx
:004815A7 59                      pop ecx
:004815A8 59                      pop ecx
:004815A9 648910                  mov dword ptr fs:[eax], edx
:004815AC 68C1154800              push 004815C1

   Actually it looks as the first CALL, so let's just try to do the same to
   both CALL's! Again you place the green line on the
                   *:00481574 55  PUSH EBP*
   and see:
   @Offset: 00080974h

7. But that's not all..if you once again open the SDR window, and scroll down
   you'll notice a line saying: *UNREGISTERED VERSION*, WE DON'T LIKE THAT !!!
   Doubleclick on the line and you should see this:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048A072(U)
|
:0048A08D E87E490600              call 004EEA10   ; a call..hmm
:0048A092 84C0                    test al, al
:0048A094 7534                    jne 0048A0CA    ; Sounds suspicious....

* Possible StringData Ref from Code Obj ->"UNREGISTERED VERSION"
                                  |
:0048A096 BAD0A24800              mov edx, 0048A2D0
:0048A09B 8D8520FEFFFF            lea eax, dword ptr [ebp+FFFFFE20]
:0048A0A1 E8AEA0F7FF              call 00404154
:0048A0A6 E8F8B4F7FF              call 004055A3
:0048A0AB E8C486F7FF              call 00402774

8. Doesn't that the line: *:0048A094 7534 jne 0048A0CA*, sound suspicious 
   (JNE=JUMP IF NOT EQUAL)...."Well, let's change it", you say..ok let's try!
   Let's try changing JNE to JMPS (75 -> EB). So once again you place the
   green line on the line, and notice the offset at the bottom..which is:
   @Offset 00089494h

9. Now we have three things to change...but is that all Well it could be,
   so we might as well try it.

10.Launch your favorite HEX-editor, and change the offset's!
   (For HIEW-users I will explain how to change it)
   
   Launch HIEW MORESPAC.EXE
   Press F4 and goto decode-mode.
   Here you press F5 and type in the first offset:  0003AF50h
   Press F3, and type C3
   Press F9 to update your changes.   
   Now you remember that we have three places to patch, so...
   Press F5 again, and type in the second offset :  00080974h
   Press F3, and type C3
   Press F9 to update your changes.
   To patch the...no i think you figured it out..just remember to press F9
   after the final change.
   Quit HIEW, and launch the program...

11.Do you see the messagebox Do you see your selection is being removed
   Do you (when setting the date a year forward) see the NAG
   Well i don't, so i guess you don't either.. ;)
   The program is now cracked, and ready to run UNLIMITED for ever ;)

That's all for now..hope to see ya all soon, in my next tutorial..
