<HTML>
<HEAD>
   <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
   <META NAME="GENERATOR" CONTENT="Mozilla/4.04 [en] (Win95; I) [Netscape]">
   <META NAME="Author" CONTENT="The Sandman">
   <META NAME="Classification" CONTENT="Reverse Code Engineering">
   <META NAME="Description" CONTENT="Step by step guide to cracking RegView V2.21a">
   <META NAME="KeyWords" CONTENT="How to crack RegView V2.21a">
   <TITLE>RegView V2.21a</TITLE>
</HEAD>
<BODY TEXT="#001010" BGCOLOR="#C0C0C0" LINK="#FF0000" VLINK="#000099" ALINK="#FFFF00">
&nbsp;
<TABLE BORDER CELLSPACING=2 WIDTH="100%" 22" >
<TR BGCOLOR="#FFFFFF">
<TD WIDTH="15%">
<CENTER><B><FONT FACE="Arial,Helvetica">July 1998</FONT></B></CENTER>
</TD>

<TD WIDTH="100%">
<CENTER><FONT FACE="Arial,Helvetica"><FONT SIZE=+2>"RegView V2.21"</FONT></FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica">( '<B>Breathing new life into programs</B>'&nbsp;
)</FONT></CENTER>
</TD>

<TD WIDTH="30%">
<CENTER><B><FONT FACE="Arial,Helvetica">Win '95 PROGRAM</FONT></B></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><FONT COLOR="#808080">Win Code Reversing</FONT></FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><FONT COLOR="#808080">&nbsp;</FONT></FONT></CENTER>
</TD>
</TR>

<TR BGCOLOR="#FFFF99">
<TD WIDTH="15%">
<CENTER><FONT FACE="Arial,Helvetica"><FONT COLOR="#890000">&nbsp;</FONT></FONT></CENTER>
</TD>

<TD>
<CENTER><FONT FACE="Arial,Helvetica">by <FONT SIZE=+3>The Sandman&nbsp;</FONT></FONT></CENTER>
</TD>

<TD VALIGN=CENTER WIDTH="30%"><FONT FACE="Arial,Helvetica">&nbsp;</FONT></TD>
</TR>

<TR BGCOLOR="#999900">
<TD WIDTH="15%">
<CENTER><FONT FACE="Arial,Helvetica">&nbsp;</FONT></CENTER>
</TD>

<TD>
<CENTER><FONT FACE="Arial,Helvetica">Code Reversing For Beginners&nbsp;</FONT></CENTER>
</TD>

<TD WIDTH="30%">
<CENTER><FONT FACE="Arial,Helvetica">&nbsp;</FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica">&nbsp;</FONT></CENTER>
</TD>
</TR>

<TR BGCOLOR="#C0C0C0">
<TD WIDTH="15%"></TD>

<TD ALIGN=LEFT>
<CENTER><FONT FACE="Arial,Helvetica">&nbsp;</FONT></CENTER>

<CENTER><B><FONT FACE="Arial,Helvetica">Program Details</FONT></B></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><B>Program Name:</B> regview.zip</FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><B>Program Type:</B> Monitors Installations</FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><B>Program Location:</B> <A HREF="http://www.xnet.com/~vchiu/">Here</A>&nbsp;</FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><B>Program Size: </B>471K&nbsp;</FONT></CENTER>
<FONT FACE="Arial,Helvetica">&nbsp;</FONT></TD>

<TD WIDTH="30%"></TD>
</TR>

<TR BGCOLOR="#C0C0C0">
<TD WIDTH="15%"></TD>

<TD><FONT FACE="Arial,Helvetica"><B>&nbsp;</B>&nbsp;</FONT>&nbsp;
<CENTER><B><FONT FACE="Arial,Helvetica">Tools Used:</FONT></B></CENTER>

<CENTER><FONT FACE="Arial,Helvetica">&nbsp;<A HREF="http://ftpsearch.ntnu.no/cgi-bin/search?query=si95w320.zip&doit=Search&type=Case+insensitive+substring+search&doexact=on&hits=50&matches=&hitsprmatch=&limdom=&limpath=&f1=Count&f2=Mode&f3=Size&f4=Date&f5=Host&f6=Path&header=none&sort=none&trlen=20">Softice
V3.2</A> - Win'95 Debugger</FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><A HREF="http://www.fortunecity.com/bally/waterford/18/w32dsm89.zip">W32Dasm
V8.9</A> - Win'95 Dissembler</FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica">&nbsp;</FONT></CENTER>
</TD>

<TD WIDTH="30%"></TD>
</TR>

<TR>
<TD VALIGN=CENTER BGCOLOR="#C6E7C6">
<CENTER><B><FONT FACE="Arial,Helvetica"><FONT COLOR="#0000FF">Rating</FONT></FONT></B></CENTER>
</TD>

<TD VALIGN=CENTER BGCOLOR="#C6E7C6">
<CENTER><B><FONT FACE="Arial,Helvetica"><FONT SIZE=-1><FONT COLOR="#0000FF">Easy
( X&nbsp; )&nbsp; Medium ( X&nbsp; )&nbsp; Hard (&nbsp;&nbsp;&nbsp; )&nbsp;
Pro (&nbsp;&nbsp;&nbsp; )</FONT>&nbsp;</FONT></FONT></B></CENTER>
</TD>

<TD WIDTH="30%" BGCOLOR="#999900"><B><FONT FACE="Arial,Helvetica"><FONT SIZE=-1>There
is a crack, a crack in everything. That's how the light gets in.</FONT></FONT></B></TD>
</TR>
</TABLE>

<CENTER><FONT FACE="Arial,Helvetica"><FONT SIZE=-1>&nbsp;</FONT></FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica">&nbsp;</FONT>&nbsp;
<HR></CENTER>

<CENTER><FONT FACE="Arial,Helvetica">&nbsp;</FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><FONT SIZE=+2>RegView V2.21a</FONT></FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><FONT SIZE=+2>( 'Breathing New Life
Into Programs'</FONT><B>&nbsp;</B><FONT SIZE=+2> )</FONT></FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><FONT COLOR="#0B7FC1">Written by The
Sandman</FONT></FONT></CENTER>
<FONT FACE="Arial Black">&nbsp;</FONT>
<BR>&nbsp;
<BR>&nbsp;
<TABLE BORDER CELLSPACING=2 WIDTH="100%" HEIGHT="22" >
<TR>
<TD BGCOLOR="#C6E7C6">
<CENTER><FONT COLOR="#0000FF"><FONT SIZE=+2>Introduction</FONT></FONT></CENTER>
</TD>
</TR>
</TABLE>
&nbsp;
<BR><FONT FACE="Arial,Helvetica">The authors of <A HREF="http://www.xnet.com/~vchiu/">RegView</A>&nbsp;
</FONT>says:-
<BR>&nbsp;
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>"RegView" is a Registry
editing and System restoring utility.</FONT></FONT>

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>RegView not only provides
almost all the features which "RegEdit" has but also adds some very useful
features which "RegEdit" misses, such as select root or whole registry
for registry key or value search, replace and delete with one single search
and which can also combine with multiple keyword string search.</FONT></FONT>

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>Another key feature of
RegView is to provide registry "record and compare" so that users can track
any registry change. And better yet, you can restore those registry changes
with one single click. RegView also "record and compare" and restore ini
files and any "directory and file" change. These provides a good system
recovery to restore back to original system status at the time of recording.
For examples, users can use RegView to record registry, ini files and "directory
and file" before installing some</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>application under test.
Then after the test, you can use RegView to restore the system change which
has been affected by that application."</FONT></FONT>
<BR>&nbsp;
<TABLE BORDER CELLSPACING=2 WIDTH="100%" HEIGHT="22" >
<TR>
<TD BGCOLOR="#C6E7C6">
<CENTER><FONT COLOR="#3333FF"><FONT SIZE=+2>About this protection system</FONT></FONT></CENTER>
</TD>
</TR>
</TABLE>
<FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><FONT FACE="Arial,Helvetica">This program is a 30 day trial program.</FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><FONT FACE="Arial,Helvetica">On successful installation the program
creates the following entries in your System registry file:-</FONT>

<P><FONT FACE="Arial,Helvetica">HKEY_CURRENT_USER\Software\Vchiu's Software\RegView\Count</FONT>
<BR><FONT FACE="Arial,Helvetica">HKEY_CURRENT_USER\Software\Vchiu's Software\RegView\Drive</FONT>
<BR><FONT FACE="Arial,Helvetica">HKEY_CURRENT_USER\Software\Vchiu's Software\RegView\Root</FONT>
<BR><FONT FACE="Arial,Helvetica">HKEY_CURRENT_USER\Software\Vchiu's Software\RegView\Startup</FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<TABLE BORDER CELLSPACING=2 WIDTH="100%" HEIGHT="22" >
<TR>
<TD BGCOLOR="#C6E7C6">
<CENTER><FONT SIZE=+2><FONT COLOR="#0000FF">The Essay</FONT>&nbsp;</FONT></CENTER>
</TD>
</TR>
</TABLE>
<FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">For this essay I
chose to attack this program's protection system by patching it, rather
than by sniffing out the serial number and I'm glad I did.&nbsp; Had I
sniffed out the serial number then I would not have known or learned about
the efforts the programmers had used to make sure their program was 'tamper
proof' against novice or inexperienced crackers such as you and me.&nbsp;
Remember, it's important for us to learn </FONT><B><I><U><FONT COLOR="#993366">how</FONT></U></I></B><FONT COLOR="#000000">
protection systems operate rather than just sniffing out it's serial number
and saying that's it, job done.&nbsp; Skipping over valuable lessons such
as the one this program offers does you no good at all and will one day
come back to haunt you the next time you try and crack a program such as
this one.</FONT></FONT>

<P><FONT FACE="Arial,Helvetica">Once you've run RegView I want you to now
exit from it then fire up <B><FONT COLOR="#993366">RegEdit</FONT></B>,
this is your Win'95 system utility and it allows us to edit any entry in
your System Registry File.</FONT>

<P><B>Search</B> for: <B><FONT COLOR="#993366">Vchiu</FONT></B>
<BR>Then once found, press on the <B>DEL key, </B>you will be asked if
you want to delete this entry, answer <B>YES</B>.&nbsp; Now <B>close</B>
RegEdit.

<P>Don't worry, the next time you run RegView it will re-create this entry
and the values we've just deleted, however, now the program will tell us
that our 'Trial Period' is over and that we should register the program.&nbsp;&nbsp;
This is just the same as running and exiting from the program 30 times,
only this way it's much quicker..:)

<P><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">Next, create a 'Dead
Listing' using W32Dasm, your going to need it if you are going to *crack*
and *learn* from this babe.&nbsp; The resulting file is going to be around
10mb in size so it might take a W32Dasm to create it so why not take this
opportunity and put some music on and relax, a cool glass of Wodka will
also help as well..:)</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">&nbsp;</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">Once your 'dead
listing' is ready, open up the '<B>String Data Resources</B>' and check
for anything that might look as if it might come in handy in our quest
to crack this program..</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">&nbsp;</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">While your at it
<B>double-click</B> on the text message "</FONT><B><FONT COLOR="#993366">Maximum
number of trials has been</FONT></B><FONT COLOR="#000000"> " then keep
<B>double-clicking</B> on this text message and count how many occurrences
their are!.</FONT></FONT>

<P><FONT FACE="Arial,Helvetica">Their are four occurrences of this text
message, with almost a dozen entry points used by the program to call these
four messages during the course of the program being used. So, the programmers
want to either confuse us or want to make sure that if we disable one program
check, then there are three others to fall back on.. hehehe, lets see if
we can get passed these checks...</FONT>

<P>Many programs and RegView is no exception, uses the pc's EAX register
to hold the starting number of 'Trial Uses' allowed with this shareware
program, in fact this method is also by many Shareware programs to hold
the number of days allowed to evaluate the program with, it's just this
program has opted to use if for number of 'Trial Uses' the User is allowed
before it must be registered. So while still in W32Dasm get it to search
for the following sequence of bytes:-

<P><B><U>Search</U></B> for: <B>B81E000000</B>

<P>Basically, this sequence of numbers represent the following Assembler
instruction:

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>mov&nbsp; eax,0000001E&nbsp;&nbsp;
; <B><FONT COLOR="#993366">Set EAX register with the value of 30</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
; <B><FONT COLOR="#993366">1F is the hex value of 30 decimal.</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
; <B><FONT COLOR="#993366">The value 30 is our allowed total 'Trial Uses'.</FONT></B></FONT></FONT>

<P><FONT FACE="Arial,Helvetica">You will find only one occurrence, shown
below, so Lets examine this code more closely, and see what's happening
here.</FONT>
<BR>&nbsp;

<P><FONT FACE="Courier New,Courier"><FONT COLOR="#990000"><FONT SIZE=-1>;
The program is checking to see if memory location 00477694 contains a</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT COLOR="#990000"><FONT SIZE=-1>;
value of '0', then it follows this with a conditional jump based on the</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT COLOR="#990000"><FONT SIZE=-1>;
the results of comparing memory location 0047769.</FONT></FONT></FONT>

<P><FONT FACE="Courier New,Courier"><FONT COLOR="#990000"><FONT SIZE=-1>;
The significance here is that if this memory location does NOT contain
a</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT COLOR="#990000"><FONT SIZE=-1>;
value of 0 then it JUMPS over all the code that handles and displays the</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT COLOR="#990000"><FONT SIZE=-1>;
number of Trail Uses left!.</FONT></FONT></FONT>

<P><FONT FACE="Courier New,Courier"><FONT COLOR="#990000"><FONT SIZE=-1>;
If you've ran RegView then you'll know that the only place where it</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT COLOR="#990000"><FONT SIZE=-1>;
displays the number of 'Uses' left to you is in the 'About' screen.</FONT></FONT></FONT>

<P><FONT FACE="Courier New,Courier"><FONT COLOR="#990000"><FONT SIZE=-1>;
One of the major differences between a Shareware &amp; Registered program</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT COLOR="#990000"><FONT SIZE=-1>;
is that in the Registered program it does NOT display how many days/uses</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT COLOR="#990000"><FONT SIZE=-1>;
left before you have to register the program with.</FONT></FONT></FONT>

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1><FONT COLOR="#990000">;
So, if </FONT><B><FONT COLOR="#993366">cmp byte ptr [00477694]</FONT></B><FONT COLOR="#990000">
= 0 then the program must be Shareware!</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1><FONT COLOR="#990000">;
but if </FONT><B><FONT COLOR="#993366">cmp byte ptr [00477694]</FONT></B><FONT COLOR="#990000">
= 1 then the program must be Registered!</FONT></FONT></FONT>

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00462F29 803D9476470000&nbsp;&nbsp;
cmp byte ptr [00477694], 00 ;<B><FONT COLOR="#993366">Program Shareware?</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00462F30 7567&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
jne 00462F99 ;<B><FONT COLOR="#993366">Jump if program *Registered* else</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1><B><FONT COLOR="#993366">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</FONT></B><FONT COLOR="#000000">;</FONT><B><FONT COLOR="#993366">still
Shareware so display the</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1><FONT COLOR="#000000">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;</FONT><B><FONT COLOR="#993366">number of Uses left.</FONT></B></FONT></FONT>

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00462F32 8D55F8&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
lea edx, dword ptr [ebp-08]</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00462F35 8B45FC&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov eax, dword ptr [ebp-04]</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00462F38 8B98F0010000&nbsp;&nbsp;&nbsp;&nbsp;
mov ebx, dword ptr [eax+000001F0]</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00462F3E 8BC3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov eax, ebx</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00462F40 E85B18FBFF&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
call 004147A0</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00462F45 8D45F8&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
lea eax, dword ptr [ebp-08]</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00462F48 BAF42F4600&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov edx, 00462FF4</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00462F4D E85607FAFF&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
call 004036A8</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00462F52 8D45F8&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
lea eax, dword ptr [ebp-08]</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00462F55 50&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
push eax</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00462F56 8D55F4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
lea edx, dword ptr [ebp-0C]</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00462F59 B81E000000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov eax, 0000001E ;<B><FONT COLOR="#993366">Total Tries allowed 30 Dec.</FONT></B></FONT></FONT>
<BR><B><FONT FACE="Courier New,Courier"><FONT COLOR="#993366"><FONT SIZE=-1>&nbsp;</FONT></FONT></FONT></B>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1><FONT COLOR="#000000">;
</FONT><B><FONT COLOR="#993366">Memory location [477698] holds the number
of Uses you've had from the</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1><FONT COLOR="#000000">;
</FONT><B><FONT COLOR="#993366">program so far. So this is our 'counter'.&nbsp;
This value is then subtracted</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1><FONT COLOR="#000000">;
</FONT><B><FONT COLOR="#993366">from the value 1F (30 dec) to give you
tries remaining before you must</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1><FONT COLOR="#000000">;
</FONT><B><FONT COLOR="#993366">register it.</FONT></B></FONT></FONT>

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00462F5E 2B0598764700&nbsp;&nbsp;&nbsp;&nbsp;
sub eax, dword ptr [00477698] ;<B><FONT COLOR="#993366">Subtract the</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<B><FONT COLOR="#993366">number of uses</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<B><FONT COLOR="#993366">you have already</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<B><FONT COLOR="#993366">had.</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00462F64 E8D331FAFF&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
call 0040613C</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00462F69 8B55F4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov edx, dword ptr [ebp-0C]</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00462F6C 58&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
pop eax</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00462F6D E83607FAFF&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
call 004036A8</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00462F72 8D45F8&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
lea eax, dword ptr [ebp-08]</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00462F75 BA00304600&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov edx, 00463000 ;= "XX More trials left"</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00462F7A E82907FAFF&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
call 004036A8</FONT></FONT>

<P><FONT FACE="Arial,Helvetica">So as you can see, we've learned a great
deal about this program just by examining this one routine..</FONT>

<P><FONT FACE="Arial,Helvetica">Lets re-cap...</FONT>

<P><FONT FACE="Arial,Helvetica">Memory location <B><FONT COLOR="#993366">00477694</FONT></B>
is used as a&nbsp; *Shareware/Register flag*, default value '0' meaning
Shareware, else a value (usually '1') representing that this program has
been registered.</FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><FONT FACE="Arial,Helvetica">Memory location <B><FONT COLOR="#993366">00477698</FONT></B>
is used as a *Counter Flag*, it holds the number of Uses you have made
of the program.</FONT>

<P><FONT FACE="Arial,Helvetica">After setting Softice breakpoints on all
the conditional jumps that calls the four memory routines that handle and
display the message:</FONT>

<P><FONT FACE="Arial,Helvetica">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
->"Maximum number of trials has been "</FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
->"reached! To continue use of this "</FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
->"program, you need to register "</FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
->"now!"</FONT>

<P><FONT FACE="Arial,Helvetica">I found the routine that is used primarily
by RegView to display and handle this message at:</FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004676C8 84C0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
test al, al</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004676CA 0F84DE010000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
je 004678AE ;<B><FONT COLOR="#993366">Tampering of Registry File</FONT></B>?</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004676D0 BAA47A4600&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov edx, 00467AA4</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004676D5 8B45F8&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov eax, dword ptr [ebp-08]</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004676D8 E8FFC4FCFF&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
call 00433BDC</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004676DD A398764700&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov dword ptr [00477698], eax</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004676E2 832D9876470084&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
sub dword ptr [00477698], FFFFFF84</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004676E9 813D9876470017FAFFFF&nbsp;&nbsp;&nbsp;
cmp dword ptr [00477698], FFFFFA17</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004676F3 750C&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
jne 00467701 ;<B><FONT COLOR="#993366">jump if still Shareware</FONT></B></FONT></FONT>

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004676F5 C6059476470001&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov byte ptr [00477694], 01 ;<B><FONT COLOR="#993366">Make program</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<B><FONT COLOR="#993366">Registered!</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004676FC E981020000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
jmp 00467982</FONT></FONT>

<P><FONT FACE="Arial,Helvetica">Basically, the program checks to see if
there are any signs of you messing with it's entries in the System Registry
file and if it does find evidence of this then the <B><FONT COLOR="#993366">je
004678AE</FONT></B> instruction skips over any further checks on the Counter
flag and goes to a different routine that handles the message "Maximum
number of trials has been reached...."</FONT>

<P><FONT FACE="Arial,Helvetica">If all goes well then it performs a series
of check-sums on it's 'counter flag' stored in memory location [00477698]
which determines wether or not it's still in Shareware mode or wether it's
to run in *Regsitered* mode.</FONT>

<P><FONT FACE="Arial,Helvetica">If the program finds it's suppose to run
in *Registered* mode then the jne 00467701 instruction is not 'set' and
so the program automatically goes onto execute the next instruction, move
byte ptr [00477694],01 which we now know is checked by the program to see
wether or not the program has been registered or not.&nbsp; Since this
routine is called BEFORE the main program this means that if the program
becomes *registered* at this point then we won't see any nag screens, we
won't have to worry about our "30 tries and your out" setup and the program
will disable access to the 'Registration Screen' because it believes we've
already registered it!.</FONT>

<P><FONT FACE="Arial,Helvetica">OK, we've found where we think is our 'Patch'
location so lets start patching!..</FONT>

<P><B><U><FONT FACE="Arial,Helvetica"><FONT COLOR="#CC0000">BEFORE:-</FONT></FONT></U></B>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004676C8 84C0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
test al, al</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004676CA 0F84DE010000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
je 004678AE ;<B><FONT COLOR="#993366">Tampering of Registry File</FONT></B>?</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004676D0 BAA47A4600&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov edx, 00467AA4</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004676D5 8B45F8&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov eax, dword ptr [ebp-08]</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004676D8 E8FFC4FCFF&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
call 00433BDC</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004676DD A398764700&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov dword ptr [00477698], eax</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004676E2 832D9876470084&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
sub dword ptr [00477698], FFFFFF84</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004676E9 813D9876470017FAFFFF&nbsp;&nbsp;&nbsp;
cmp dword ptr [00477698], FFFFFA17</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004676F3 750C&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
jne 00467701 ;<B><FONT COLOR="#993366">jump if still Shareware</FONT></B></FONT></FONT>

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004676F5 C6059476470001&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov byte ptr [00477694], 01 ;<B><FONT COLOR="#993366">Make program</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<B><FONT COLOR="#993366">Registered!</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004676FC E981020000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
jmp 00467982</FONT></FONT>

<P><B><U><FONT FACE="Arial,Helvetica"><FONT COLOR="#CC0000">AFTER:</FONT></FONT></U></B>

<P><B><FONT FACE="Courier New,Courier"><FONT COLOR="#CC0000"><FONT SIZE=-1>:004676C8
EB2B&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
jmp 004676F5 ;Always register this program</FONT></FONT></FONT></B>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004676CA 0F84DE010000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
je 004678AE ;<B><FONT COLOR="#993366">Tampering of Registry File</FONT></B>?</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004676D0 BAA47A4600&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov edx, 00467AA4</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004676D5 8B45F8&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov eax, dword ptr [ebp-08]</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004676D8 E8FFC4FCFF&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
call 00433BDC</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004676DD A398764700&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov dword ptr [00477698], eax</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004676E2 832D9876470084&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
sub dword ptr [00477698], FFFFFF84</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004676E9 813D9876470017FAFFFF&nbsp;&nbsp;
cmp dword ptr [00477698], FFFFFA17</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004676F3 750C&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
jne 00467701 ;<B><FONT COLOR="#993366">jump if still Shareware</FONT></B></FONT></FONT>

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004676F5 C6059476470001&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov byte ptr [00477694], 01 ;<B><FONT COLOR="#993366">Make program</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<B><FONT COLOR="#993366">Registered!</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004676FC E981020000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
jmp 00467982</FONT></FONT>
<BR>&nbsp;
<BR><FONT FACE="Arial,Helvetica">OK, if you have RegView running then close
it..</FONT>

<P><FONT FACE="Arial,Helvetica">Load up regview.exe into your favorite
Hex-Editor ( I prefer hexWorkshop-32) but just about any Hex-Editor will
do..</FONT>
<BR>&nbsp;
<BR><FONT FACE="Courier New,Courier"><B>SEARCH</B> FOR THE FOLLOWING BYTES
: E838BFFCFF84C00F</FONT>
<BR><FONT FACE="Courier New,Courier"><B>REPLACE</B> WITH <B><U><FONT COLOR="#990000">HIGHLIGHTED</FONT></U></B>
BYTES : E838BFFCFF<B><FONT COLOR="#990000">EB2B</FONT></B>0F</FONT>

<P><FONT FACE="Arial,Helvetica">This patch will permanently make this program
register itself each time it is run.</FONT>

<P><FONT FACE="Arial,Helvetica">Now fire up Regview.... What!, the program
now display's the message:</FONT>

<P><B><FONT FACE="Arial,Helvetica"><FONT COLOR="#993366">"This file is
corrupt. Please download and install RegView again."</FONT></FONT></B>

<P><FONT FACE="Arial,Helvetica">Hehe, no problem, there must be a routine
that performs a kind of CRC check on the program itself which would then
detect any changes to the program's code..</FONT>

<P><FONT FACE="Arial,Helvetica">Back into our Dead Listing...</FONT>

<P><FONT FACE="Arial,Helvetica"><B><U>Search</U></B> for the text "<B><FONT COLOR="#993366">This
file is corrupt</FONT></B>" which we know is part of the message displayed
by RegView.</FONT>

<P><FONT FACE="Arial,Helvetica">We should now be shown the following snippet
of code:-</FONT>

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004738AD 7921&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
jns 004738D0 ;<B><FONT COLOR="#993366">ignore this instruction, it's</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<B><FONT COLOR="#993366">part of a DATA BYTE.</FONT></B></FONT></FONT>
<BR>&nbsp;
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004738AF 00538B&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
add byte ptr [ebx-75], dl</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004738B2 D86A00&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
fsubr dword ptr [edx+00]</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004738B5 668B0DD4384700&nbsp;&nbsp;&nbsp;
mov cx, word ptr [004738D4]</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004738BC 33D2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
xor edx, edx</FONT></FONT>

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>* StringData Ref from
Code Obj ->"<B><FONT COLOR="#993366">This file is corrupted. Please </FONT></B>"</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
->"<B><FONT COLOR="#993366">download and install RegView again!</FONT></B>"</FONT></FONT>
<BR>&nbsp;
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004738BE B8E0384700&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov eax, 004738E0</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004738C3 E880F5FBFF&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
call 00432E48</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004738C8 8BC3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov eax, ebx</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004738CA E81910FBFF&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
call 004248E8</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004738CF 5B&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
pop ebx</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004738D0 C3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
ret</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica">By placing a Softice Breakpoint at <B><FONT COLOR="#993366">4738CF</FONT></B>&nbsp;
<B><FONT COLOR="#993366">POP EBX</FONT></B> and then following where the
<B><FONT COLOR="#993366">RET </FONT></B>instruction took me I found it
placed me here:-</FONT>

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:0044D2F0 3B05DC614700&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
cmp eax, dword ptr [004761DC] ;<B><FONT COLOR="#993366">1st Check</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:0044D2F6 742E&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
jz 0044D326 ;<B><FONT COLOR="#993366">Jump if OK</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:0044D2F8 66837B2A00&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
cmp word ptr [ebx+2A], 0000 ;<B><FONT COLOR="#993366">2nd check</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:0044D2FD 740A&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
jz 0044D309 ;<B><FONT COLOR="#993366">Jump if check failed</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:0044D2FF 8BD3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov edx, ebx</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:0044D301 8B432C&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov eax, dword ptr [ebx+2C]</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:0044D304 FF5328&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
call [ebx+28] ;<B><FONT COLOR="#993366">This calls the routine that</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<B><FONT COLOR="#993366">displays "This file is corrupt.</FONT></B>"</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:0044D307 EB1D&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
jmp 0044D326</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:0044D309 6A10&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
push 00000010 ;<B><FONT COLOR="#993366">This is our second "Virus</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<B><FONT COLOR="#993366">Warning" message.</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:0044D30B 6888D34400&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
push 0044D388 ;Message Title: "<B><FONT COLOR="#993366">Program Error</FONT></B>"</FONT></FONT>

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>* StringData Ref from
Code Obj ->"<B><FONT COLOR="#993366">This program has been modified</FONT></B>
"</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
->"<B><FONT COLOR="#993366">either by a virus or by a transfer </FONT></B>"</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
->"<B><FONT COLOR="#993366">problem. It will terminate now.</FONT></B>"</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:0044D310 6898D34400&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
push 0044D398</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:0044D315 6A00&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
push 00000000</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:0044D317 E82082FBFF&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
Call user32.MessageBoxA</FONT></FONT>

<P><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">As we can see, if
we patch the program at the 1st check so that it ALWAYS jumps to the '</FONT><B><FONT COLOR="#993366">program
checked, no tampering detected</FONT></B><FONT COLOR="#000000">' routine
then we need never worry about this program detecting our patches and it
will <B><U>ALSO</U></B> disable the <B><U>SECOND</U></B> program check
that would result in a further "</FONT><B><FONT COLOR="#993366">Virus Warning"
</FONT></B><FONT COLOR="#000000">message being displayed!</FONT></FONT>

<P><FONT FACE="Arial,Helvetica">OK, if you have RegView running then close
it..</FONT>

<P><FONT FACE="Arial,Helvetica">Load up regview.exe into your favorite
Hex-Editor ( I prefer hexWorkshop-32) but just about any Hex-Editor will
do..</FONT>
<BR>&nbsp;
<BR><FONT FACE="Courier New,Courier"><B>SEARCH</B> FOR THE FOLLOWING BYTES
: 3B05DC614700742E</FONT>
<BR><FONT FACE="Courier New,Courier"><B>REPLACE</B> WITH <B><U><FONT COLOR="#990000">HIGHLIGHTED</FONT></U></B>
BYTES : 3B05DC614700<B><FONT COLOR="#990000">EB</FONT></B>2E</FONT>

<P><FONT FACE="Arial,Helvetica">This patch will permanently disable the
two checks it performs to see if it's been patched.</FONT>

<P><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">OK, now once more
fire up RegView, lets see if it runs now...</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">&nbsp;</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">It does..:)</FONT></FONT>

<P><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">Job Done.</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">&nbsp;</FONT></FONT>
<TABLE BORDER CELLSPACING=2 WIDTH="100%" HEIGHT="22" >
<TR>
<TD BGCOLOR="#C6E7C6">
<CENTER><FONT SIZE=+2><FONT COLOR="#0000FF">The Patches</FONT>&nbsp;</FONT></CENTER>
</TD>
</TR>
</TABLE>
<FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica">Load up regview.exe into your favorite
Hex-Editor ( I prefer hexWorkshop-32) but just about any Hex-Editor will
do..</FONT>
<BR>&nbsp;
<BR><FONT FACE="Courier New,Courier"><B>SEARCH</B> FOR THE FOLLOWING BYTES
: E838BFFCFF84C00F</FONT>
<BR><FONT FACE="Courier New,Courier"><B>REPLACE</B> WITH <B><U><FONT COLOR="#990000">HIGHLIGHTED</FONT></U></B>
BYTES : E838BFFCFF<B><FONT COLOR="#990000">EB2B</FONT></B>0F</FONT>
<BR>&nbsp;
<BR>Then...

<P><FONT FACE="Courier New,Courier"><B>SEARCH</B> FOR THE FOLLOWING BYTES
: 3B05DC614700742E</FONT>
<BR><FONT FACE="Courier New,Courier"><B>REPLACE</B> WITH <B><U><FONT COLOR="#990000">HIGHLIGHTED</FONT></U></B>
BYTES : 3B05DC614700<B><FONT COLOR="#990000">EB</FONT></B>2E</FONT>
<BR>&nbsp;
<CENTER><B><FONT FACE="Arial,Helvetica"><FONT COLOR="#3333FF">If you intend
on using this program beyond it's evaluation period then please BUY IT!</FONT></FONT></B></CENTER>

<TABLE BORDER CELLSPACING=2 WIDTH="100%" HEIGHT="22" >
<TR>
<TD BGCOLOR="#C6E7C6">
<CENTER><FONT SIZE=+2><FONT COLOR="#0000FF">Final Notes</FONT>&nbsp;</FONT></CENTER>
</TD>
</TR>
</TABLE>
<FONT FACE="Arial,Helvetica"><FONT COLOR="#333333">&nbsp;&nbsp;&nbsp;&nbsp;</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica">In this essay we should at least have
a fair idea about how to go about finding where to patch a program, especially
how we can find all kinds of information just from examine a simple routine
to display the number of Uses/Days we have left to evaluate the target
software.</FONT>

<P><FONT FACE="Arial,Helvetica">So if a program gives you say, 30 trial
uses or 30 days to evaluate the software then in your 'Dead Listing try
searching for:</FONT>

<P><B><U>Search</U></B> for: <B>B81E000000</B>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><FONT FACE="Arial,Helvetica">which should display the instruction <B>mov&nbsp;
eax,0000001E</B></FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><FONT FACE="Arial,Helvetica">Remember, just about all Shareware programs
need a memory location to store a value in that tells it wether or not
it has been registered and that as a general rule the default value will
be a '0' meaning unregistered.. If this is so then some where within the
program this memory location <B><U>HAS</U></B> to be changed so that it
contains *usually* a value of '1' meaning now *registered*.</FONT>

<P>Notice also that the text messages used within the program helped us
greatly to quickly locate the relevant routines that we were looking for..
They are like flashing beacons to *crackers*..:)
<BR>&nbsp;
<BR>My thanks and gratitude goes to:-
<BR>&nbsp;
<BR><FONT FACE="Arial,Helvetica">Fravia+ for providing possibly the greatest
source of Reverse Engineering</FONT>
<BR><FONT FACE="Arial,Helvetica">knowledge on the Web.</FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><FONT FACE="Arial,Helvetica">+ORC for showing me the light at the end
of the tunnel.</FONT>
<BR>&nbsp;
<TABLE BORDER CELLSPACING=2 WIDTH="100%" HEIGHT="22" >
<TR>
<TD BGCOLOR="#C6E7C6">
<CENTER><FONT COLOR="#0000FF"><FONT SIZE=+2>Ob Duh</FONT></FONT>&nbsp;</CENTER>
</TD>
</TR>
</TABLE>
<I><FONT FACE="Arial,Helvetica">&nbsp;</FONT></I>
<BR><I><FONT FACE="Arial,Helvetica">Do I really have to remind you all
that by buying and NOT stealing the software you use will ensure that these
software houses will encourage them to produce even *better* software for
us to use and enjoy.</FONT></I>

<P><I><FONT FACE="Arial,Helvetica">Ripping off software through serials
and cracks is for lamers..</FONT></I>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><I><FONT FACE="Arial,Helvetica">If your looking for cracks or serial
numbers from these pages then your wasting your time, try searching elsewhere
on the Web under Warze, Cracks etc.</FONT></I>
<BR>&nbsp;
<BR>
<HR SIZE=3 WIDTH="100%">
<CENTER>&nbsp;</CENTER>

<CENTER>&nbsp;</CENTER>

<CENTER><TABLE BORDER=2 >
<TR>
<TD>&nbsp;<B><A HREF="Es48.html">Next</A></B>&nbsp;</TD>

<TD>&nbsp;<B><A HREF="Tindex.html">Return to Essay Index</A></B>&nbsp;</TD>

<TD>&nbsp;<B><A HREF="Es46.html">Previous</A></B>&nbsp;</TD>
</TR>
</TABLE></CENTER>

<CENTER><B><FONT SIZE=+1>&nbsp;</FONT></B></CENTER>

<HR SIZE=3 WIDTH="100%"><FONT FACE="Arial,Helvetica"><FONT SIZE=-2>Essay
by:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <A HREF="mailto:The Sandman<greenway@proweb.co.uk>">The
Sandman</A></FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT SIZE=-2>Page Created: 26th July
1998</FONT></FONT>
<BR><SCRIPT LANGUAGE="JavaScript">
<!--- hide script from old browsers
update= new Date(document.lastModified)
document.writeln("<FONT SIZE=-1>Last Updated: <EM>" + update.toLocaleString(update) + "</EM></FONT><BR>")
// end hiding --->
</SCRIPT>

</BODY>
</HTML>
