=[ info ]======================================================================
Merchants of Andromeda by Sign Hill Games (www.signhill.com)
=[ comments ]==================================================================
I think it would be nice for all cracks to look like this one.
You may use contents of this package all the way you want, even put your own
copyright.
We disacknowledge copyright.
Play. Learn. Enjoy.
=[ changes ]===================================================================
If you want to change the contents, but still want to leave our stupid
captions/signatures/other stuff, you may log your change here (latest to
bottom).
19-dec-2002, file created by names::consealed
??-???-????, your changes by yourname
=[ patch info (use any hex editor) ]===========================================
Merchants.exe
00008531: 8B C7
00008534: 83 33
00008535: F8 00
00008536: FF 00
00008537: 75 00
00008538: 1C 8B
00008539: D9 40
0000853A: 05 4C
0000853B: 40 EB
0000853C: 34 18
=[ how we did it (sorry for mistakes, if any) ]================================
Needed tools: w32dasm
1) Launch a game, launch w32dasm, Debug -> Attach to an Active Process. Select
merchants.exe there.
2) The idea is: we have a message "Trial version" displayed under the game
title in the main menu. Of course, the game checks, if the version is really
trial (in other words, unregistred), and if it is, it displays that string.
So let's find, where the game stores the "app_is_not_registered" value, and
change it.
* That SHOULD NOT work in other programs, because it's too easy to crack...
3) m32dasm: Refs -> String Data References. Find a string "Trial Version".
Double-click it several times. You'll see, that we have only two references
to this string in the code. The pointer to this string is passed as an argu-
ment to the function located at 00413B5Ah (that function draws the text). I
guess, that the first reference (at 00403982h) is used when the game
displays "Trial Version" string in the game (in upperright corner).
We need the second one (at 00408541h).
4) Do you see a reference to the "L I M I T E D E D I T I O N" string a couple
lines later in the code? It becomes interesting...
So, what do we see? Lets look at the CMP and J?? opcodes between adresses
00408527h and 0040857Bh. We can clearly see the followind algorithm:
- 00408531h: put some value from memory to EAX
- If that value is equal to FFFFFFFFh, "Trial Version" string is drawn
- If it's less or equal to 50 (32h), we draw "L I M I T E D E D I T I O N"
- Else, we draw nothing
So, let's try to change that value.
Select the string 00408531h, press F2 (set a breakpoint), the menu animation
will stop. Then, press the "Patch Code" button in w32dasm.
Insert the following opcodes:
mov [eax+4C], 00000033h
mov eax, [eax+4C]
jmp 00408555h
This will change the mysterious value in memory, put it to EAX and then make
the game run normally. Press "Apply Patch".
Now, if we remove breakpoint (F2 again) and launch a game (F9), the "Trial
version" text will disappear. The game is registered (until it is closed).
After pathing an .exe file, the game will become registered forever.
* you may use 00000032h (for example) instead of 00000033h in the first
string of patch code. Doing so, you will see that is that strange LIMITED
EDITION.
========================================================== names::consealed ===