PocketConquest

What are we going to do today?

We'll conquer the world, And we'll do it with my (your) mind... mind... mind!

A 10 minute crack

:I personally like the game Risiko, so I wanted to have a version on my new iPaq. Looking around a little bit I found

- Pocket Conquest 1.1a (ARM version)

which you can download from http://www.windowsgames.co.uk/conquestCE.html.

The game is fully playable, but you are not allowed to change this options:

- Use map
- Humans and Computer players (always 6 players required)
- Cards

If you change one of the options and click OK you will get this MessageBox:

- You can't change the default options in the shareware version.

Ok, let's see what's 'wrong'. Fire IDA and open"PocketConquest (ARM).exe".
You will see load file as: Portable Executable for ARM (PE)
P rocessor type: Intel 80x86 processors: metapc

That' fine. Click OK (IDA will pop up and ask you for aygshell.dll, safely ignore this) and wait....

Let's conquer the world

use IDA Names-Window (shift+F4) and look around for the text of the MessageBox and you will find:

.data:000215B8 aYouCanTChangeT unicode 0, <You can't change the default options>
.data:000215B8                                         ; DATA XREF: .text:00016978o
.data:000215B8                 DCW 0xA
.data:000215B8                 unicode 0, <in the shareware version.>

Follow the XREFs (two times), starting from aYouCanTChangeT and you will come to the place whee the MessageBox is filled:

.text:00016934 loc_16934                               ; CODE XREF: .text:00016910
.text:00016934                                         ; .text:0001691C
.text:00016934                 LDR     R2, =aConquest_0
.text:00016938                 MOV     R3, #0x30
.text:0001693C                 LDR     R1, =aYouCanTChangeT
.text:00016940                 MOV     R0, R8
.text:00016944                 BL      MessageBoxW <-- Nag screen
.text:00016948                 LDR     R1, =aWorld_0
.text:0001694C                 ADD     R0, R4, #0x48
.text:00016950                 BL      wcscpy
.text:00016954                 MOV     R0, #6
.text:00016958                 STR     R0, [R4,#4]
.text:0001695C                 MOV     R0, #2
.text:00016960                 MOV     R12, #0x1740
.text:00016964                 ORR     R12, R12, #0x14
.text:00016968                 STR     R0, [R4,R12]
.text:0001696C

That's fine, now we know where we are not allowed to run into loc_16934. As you can see there are two references to this subroutine. Just scroll a little bit up and we see this lines of code:

.text:000168C0 loc_168C0                               ; CODE XREF: .text:0001685Cj
.text:000168C0                                         ; .text:00016884j
.text:000168C0                 MOV     R1, #0x3EC
.text:000168C4                 ORR     R1, R1, #3
.text:000168C8                 MOV     R0, R8
.text:000168CC                 BL      GetDlgItem
.text:000168D0                 MOV     R3, #0
.text:000168D4                 MOV     R2, #0
.text:000168D8                 MOV     R1, #0xF0
.text:000168DC                 BL      SendMessageW
.text:000168E0                 LDR     R1, =aWorld_1
.text:000168E4                 CMP     R0, #1
.text:000168E8                 MOVEQ   R0, #1
.text:000168EC                 MOVEQ   R12, #0x1740
.text:000168F0                 ORREQ   R12, R12, #0xC
.text:000168F4                 STREQ   R0, [R4,R12]
.text:000168F8                 ADD     R0, R4, #0x48
.text:000168FC                 MOVNE   R12, #0x1740
.text:00016900                 ORRNE   R12, R12, #0xC
.text:00016904                 STRNE   R9, [R4,R12]
.text:00016908                 BL      wcscmp
.text:0001690C                 MOVS    R3, R0
.text:00016910
.text:00016910 Worldmap_check_jump
.text:00016910                 BNE     loc_16934
.text:00016914                 LDR     R0, [R4,#4]
.text:00016918                 CMP     R0, #6
.text:0001691C
.text:0001691C Player_check_jump
.text:0001691C                 BNE     loc_16934
.text:00016920                 MOV     R12, #0x1740
.text:00016924                 ORR     R12, R12, #0x14
.text:00016928                 LDR     R0, [R4,R12]
.text:0001692C                 CMP     R0, #2
.text:00016930
.text:00016930 Card_check_jump
.text:00016930                 BEQ     loc_1696C

Here we can see our 3 checks which we have to change:


	  .text:00016910                 BNE     loc_16934
	  .text:0001691C                 BNE     loc_16934
	  .text:00016930                 BEQ     loc_1696C

The first two are easy to find, the last one needs a little bit brainwork ;)

So let's change the values. Fire Hiew go to address 0x16910 and you will see:

07 00 00 1A = BNE

I would say we NOP it out, so that it does not matter if it's the same (default) value or not:

90 90 90 90

Do the same with address 0x1691C. Last but not least we change address 0x16930:

0D 00 00 0A = BEQ

I would recommend to jump anyway (B) and not only if BEQ:

0D 00 00 EA = B

That's it. Have fun conquering the world.....

twoFace