-----------------------------------------------------+
These informations are for educational purposes only!|
-----------------------------------------------------+

 
 Target game: Microshaft's NBA Full Court Press
	      I'm sorry all you microshaft haters (incl. me)... but I didn't have a choice...=/

 Toolz used: W32Dasm v8.93 & Hiew 6.16 (Regedit Extensions... not necessary)
 
 Some preparing hints: Assuming u have mp3z on your harddrive (or cd), start your fav 
			     mp3 player and load your fav songs.. ye won't get so bored whilst 
			     readin' and patchin'...=)

		       This piece of text expanded quite a bit.. don't read it all at once =)
 
 Hopefully u'll understand me from most of the parts..my english suxs..and so does my knowledge 
 of asm...but hopefully u still learn something..(I did..)

 Step 1. Start with install of course. Make a full install, and after it's done, goto the CD
	 and copy every file under the directory "Bot" to your harddrive (of course u have to 
	 put the into the dir "Bot" under where u installed nba).. if u did everything correctly
	 the nba folder size should be about 450 megs...

 Step 2. Make a backup of Nba_fcp.exe (that's how it's named in my version.. dunno if it's 
	 different in some other versions) and load it onto W32Dasm. Next we wanna of course
	 find the spot where to place the patch, so grab the CD outta drive and start the game.
	 "Insert ...", typical message.. argh... can't they come up with anything else?..borin'
	 ..But anywayz.. u should be able to find the right place using search or Strn Refs...
	 found it already?.. g00d ..

 	 

 * Possible StringData Ref from Data Obj ->"name811"
                                  |
:004409A5 68A8D94F00              push 004FD9A8
:004409AA E821E60600              call 004AEFD0
:004409AF 83C404                  add esp, 00000004
:004409B2 50                      push eax
:004409B3 E808D50700              call 004BDEC0
:004409B8 83C408                  add esp, 00000008
:004409BB 8945E4                  mov dword ptr [ebp-1C], eax
:004409BE 85C0                    test eax, eax
:004409C0 740B                    je 004409CD
:004409C2 50                      push eax
:004409C3 E888D20700              call 004BDC50
:004409C8 83C404                  add esp, 00000004
:004409CB EB49                    jmp 00440A16

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004409C0(C) <-- *
|
:004409CD 8D4DDC                  lea ecx, dword ptr [ebp-24]
:004409D0 E84F400900              call 004D4A24
:004409D5 C645FC04                mov [ebp-04], 04
:004409D9 8D4DE8                  lea ecx, dword ptr [ebp-18]
:004409DC E843400900              call 004D4A24

* Possible Reference to String Resource ID=03153: "Insert the Microsoft NBA Full Court Press CD to start the ga"	 

 hmm... doesn't that text look familiar?.. arghh... yes it does...

 Ok.. let's get start with patching... the quick look over the code reveals sumfin'...
 (not much but somethin'.. hmm.. I must be learning...)... if you've done some cracking before
 u probably guessed where to start.. u could start by noticing referenced jump* ... if u look
 closesly enough u should notice that following the jump will only go up a bit.. so head over 
 there... (note that asm code below is the same as the one above... I just cut the lower part)

* Possible StringData Ref from Data Obj ->"name811"
                                  |
:004409A5 68A8D94F00              push 004FD9A8
:004409AA E821E60600              call 004AEFD0 
:004409AF 83C404                  add esp, 00000004
:004409B2 50                      push eax
:004409B3 E808D50700              call 004BDEC0 <-- what's this...
:004409B8 83C408                  add esp, 00000008
:004409BB 8945E4                  mov dword ptr [ebp-1C], eax
:004409BE 85C0                    test eax, eax <-- hmm.. test eax..does it match?
:004409C0 740B                    je 004409CD <-- yes.. then jump*
:004409C2 50                      push eax
:004409C3 E888D20700              call 004BDC50 <--... and this?
:004409C8 83C404                  add esp, 00000004
:004409CB EB49                    jmp 00440A16 

 Hmm.. At this point I thought "Whoa.. this one's very ez..".. but I made a mistake..hmph...=)
 If u try to patch the jump* and start the game, you'll only get gpf (general protection fault).
 So that's not the right place...(although there's a solution here already...*g*)...
 so.. again scroll a tiny bit up 'til u see this...

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00440A1A(C) <-- geez..this looks nice..
|

* Possible StringData Ref from Data Obj ->"r"
                                  |
:004409A0 681CD14F00              push 004FD11C

 Nothing much here to do... follow the jump...

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004409CB(U)
|
:00440A16 837DE400                cmp dword ptr [ebp-1C], 00000000 <-- compare..00=fail,01=pass
:00440A1A 7484                    je 004409A0 <-- this' the jumpie...
:00440A1C 68002D3101              push 01312D00

* Possible Reference to String Resource ID=00002: "Celtics"

 Whoa.. now it seems like we're getting sumwhere.. and yes.. this is a good place to put our 
 patch.. like u should've guessed there's two ways to pass the check at this point...
 1. Change cmp to 1
 2. Reverse the jump (or NOP it)

 Choose whichever way u want...

 This section is only for those who don't know how to patch the check.. advanced ppl go on...

 In W32Dasm.. move the line over the jump location (but don't jump) and it should turn into green
 .. now if u look lower part of w32dasm u see @Offset 0003FE1Ah... take the number part only
 (leave the "h" out.. it only means hex). Now start Hiew and load the .exe on it. Press Enter
 two times, then F5 and enter the number. If u succeeded, press F3 and make following change(s)

 1. 837DE400 -> 837DE40|1|
 2. 7484 -> 7|5|84 or 9090

 After done with modifications, press F9 and ESC to quit Hiew

 ok... assuming u've made the change, try starting NBA and if everything went ok (don't mind
 the nag that still complains about the cd, just press ok) the game should start... but now 
 if u try to start a single game or whatever, u probably get an error message relating to some
 of the .Bot files.. now u have to modify a bit your Registry (u should know what it is..if u 
 dont.. ask sum1). Goto Registry and type a search String (I used NBA).. it takes awhile to find
 the right place (ignore everything else..u know when u're in right plaza...)

 U should see something like this (I won't type it all here...)

 AVIPath 		"blah blah"
 CDPath			"blah blah"
 HDPath		     eg."c:\games\nba"
 etc..

 Wherever there's some sort of Path mentioned or Dir.. change it to equal to the drive where u
 installed nba (eg. c:)..
 
 AVIPath		"C:"
 CDPath			"C:"
 HDPath			"C:" (not necessary.. leave it untouched if u wish..)

 Every Path related to the installation directory can be leaved untouched..

 Edit every path to "C:" or corresponding and start the game... does it work?.. Yes it does 
 (works on my cpu... don't come complaining to me if you've made any mistakes..=)

 Ok.. this should do it.. U've cracked the game... (Not in the cleanest way.. but still)..
 Every perfectionist will probably be asking "How to crack the game so that the nag won't show up)
 .. hmm.. I thought "Whatta hell... If ppl want it.. I'll give it.."

 Uc'n stop reading at this point if u want..I'll only show the other way..

 ------------------------------------------------------------------------------------------------

 Let's move back to start (and assuming u've replaced the modified .exe with the backup...)

  * Possible StringData Ref from Data Obj ->"name811"
                                  |
:004409A5 68A8D94F00              push 004FD9A8
:004409AA E821E60600              call 004AEFD0 
:004409AF 83C404                  add esp, 00000004
:004409B2 50                      push eax
:004409B3 E808D50700              call 004BDEC0 <-- remember these...
:004409B8 83C408                  add esp, 00000008
:004409BB 8945E4                  mov dword ptr [ebp-1C], eax
:004409BE 85C0                    test eax, eax
:004409C0 740B                    je 004409CD
:004409C2 50                      push eax
:004409C3 E888D20700              call 004BDC50 <-- two calls...? U should...
:004409C8 83C404                  add esp, 00000004
:004409CB EB49                    jmp 00440A16

 This is the same code as in the beginning of this .txt...
 Ok.. the secret of patchin this "cleanly" lies beneath these two calls..I bet u know what to
 do with them.. mov eax, 00000001 ...both of 'em.. (arghh.. my hands are cramping at this point)
 If u replace only the first.. u'll get gpf (dunno why exactly..?)..if only the last.. the nag's
 still there.... that's why u have to take both of 'em...(dont ask me why.. at this point the 
 asm code beat my knowledge of it...)... after you're done with mov(ing) them.. make the 
 same registry modfs as shown few lines back... and now u should have "Clean" crack..=)

 - Microshaft's ABN (Anal Bear Nuggets) was krakked by C_DKnight
 
 hmm... if some of u still remember me.. I'm the same person as mr. Cloud [StarGazer]...
 Greetz: go out to tKC (for publishing my tutz.. thx billion times..=), dAvId/nightmare for his 
 	 excellent tuts.. plus every cracker who's written at least one tut.. plus the great
	 gurus Beowulf, Grudge, Sun-Tzu, G-Rom etc.. there are too many of them..=)..U rule..

 c_dknight@iobox.com

 This phile was written on 24th of October 1999...