Story of the streambox vcr 1 beta 3.1 crack
I apologize that these notes are so haphazard and all over the place.
I made the mistake of trying to document this crack four months after
 i did it.
This took me almost a full week of work, if memory serves me correctly.
Usually restoring functions to programs is either trivially easy, if the
 programmer has just put in a flag to disable functions on a demo version,
 or virtually impossible, if the programmer has removed key procedures from
 compilation.
The restoration of RealAudio recording abilities to streambox vcr turned out
 to be a middle-of-the-road crack.  This was most definetly *not* a case of
 a flag to disable functions.  The code has been modified in several places
 to remove realaudio downloading without predjudice.  BUT, luckily for us,
 the important key procedures for recording realaudio are still in the code.
Basically, i spent a lot of time comparing the newer version of the code with
 the beta 2 version which included realaudio support, and figured out how to
 modify and splice in the small amounts of missing code which had been removed
 from the newer version.
8/20/00
-Flying Raichu




*****************************************************************************
************ PART 1 - FINDING AND REMOVING THE PHONE HOME CODE **************
*****************************************************************************


-----------------------------------------------------------------------------

Let's look at one call to mommy:

Begins at 
 	* Referenced by a CALL at Addresses:
	|:0041FD48   , :0041FF7C   
	|
	:004208CC 55                      push ebp

We know this is the call because we can see it form the request similar to
 what it did in beta 2, although we note that server address 216.34.68.140
 is no longer hard coded as a string reference as it was in earlier versions,
 but rather adress is constructed dynamically.  However, we do see the telltale
 "ID=%s", inside an http address construction procedure:
 
	* Possible StringData Ref from Data Obj ->"http://"
	:00420900 688CC74E00              push 004EC78C
	* Possible StringData Ref from Data Obj ->"/_vt"
	:00420960 6894C74E00              push 004EC794
	* Possible StringData Ref from Data Obj ->"i_bi"
	:0042096D 689CC74E00              push 004EC79C
	* Possible StringData Ref from Data Obj ->"n/go.dl"
	:0042097A 68A4C74E00              push 004EC7A4
	* Possible StringData Ref from Data Obj ->"l?ID=%s"
	:00420987 68ACC74E00              push 004EC7AC
	
-----------------------------------------------------------------------------

Let's see who call it from 0041fd48 and 0041ff7c.

Both of these are forming the info to send.  looks like:
	* Possible StringData Ref from Data Obj ->"VERS"
	:0041FBFB 682CC64E00              push 004EC62C
	* Possible StringData Ref from Data Obj ->"REQS"
	:0041FC21 6834C64E00              push 004EC634
	* Possible StringData Ref from Data Obj ->"MAIL"
	:0041FC44 683CC64E00              push 004EC63C
	* Possible StringData Ref from Data Obj ->"NAME"
	:0041FC79 6844C64E00              push 004EC644
	* Possible StringData Ref from Data Obj ->"PASS"
	:0041FCAE 684CC64E00              push 004EC64C
	* Possible StringData Ref from Data Obj ->"END."
	:0041FCE3 6854C64E00              push 004EC654

-----------------------------------------------------------------------------

who calls to these info-preparing functions?
first caller starts at:
	* Referenced by a CALL at Address 004206F7   
	:0041FBBE 55                      push ebp
second caller starts at:
	* Referenced by a CALL at Address 0041FB6F   
	:0041FDC2 55                      push ebp

-----------------------------------------------------------------------------

first 04206F7 function call is called from
* Referenced by a CALL at Addresses:
|:00401D86   , :00402038   
|
:0042065F 55                      push ebp

looking at the 00401d86 call we see something that makes us happy:
	:00401D86 E8D4E80100              call 0042065F
	:00401D8B 85C0                    test eax, eax
	:00401D8D 7411                    je 00401DA0
see that "test eax,eax"? that's going to be our train coming into the station.

-----------------------------------------------------------------------------

Assuming that this call to 0042065F is a call to register,
 AND that the check of eax is the check asking if everything is ok,
 let's just force 0042065F to say that is sent the info and everything
 went ok.
 
so we stick the following code into 0042065F
	B801000000              mov eax, 00000001
	C20400                  ret 0004
	(duplicates the ret we see in the real end of the procedure)

ie, with hex editor, change file location 0002065F
 from [558B EC6A FF68 96C4] to [B801 0000 00C2 0400]

-----------------------------------------------------------------------------

Okay, it works! and like the prev. crack for beta 2, it asks for the registration info
 on first running, saves it, thinks it regsiters with server, and never asks for info
 again, and stops calling for its mommy.
(though we need to check some other places first to verify that it doesn't check for upgrades,
 etc. elsewhere...)
 
-----------------------------------------------------------------------------

Now we try downloading a file.
woops! it's trying to call home again!
guess we only caught the registration submission procedure!

-----------------------------------------------------------------------------

Okay, remember how there were TWO calls to the procedure we found that phoned
home?  we only looked at one of the calls, let's look at the other.

call to 0041FDC2 is from 0041FB6F (starts at 0041FAD3):
 which is called from 00455B47.

Following this back to 0045B15 we see some code that looks VERY VERY familiar
from our crack of beta2.

	* Referenced by a CALL at Addresses:
	|:0041B406   , :0041E424   , :0041E591   , :00420FA1   , :0042110E   
	|:00422CE9   , :00448EFF   , :0044906C   , :0044CC0C   , :00456FDB   
	|
	:00455B15 55                      push ebp
	:00455B16 8BEC                    mov ebp, esp
	:00455B18 51                      push ecx
	:00455B19 894DFC                  mov dword ptr [ebp-04], ecx
	:00455B1C 8B45FC                  mov eax, dword ptr [ebp-04]
	:00455B1F 83B82801000000          cmp dword ptr [eax+00000128], 00000000
	:00455B26 7407                    je 00455B2F
	:00455B28 B801000000              mov eax, 00000001
	:00455B2D EB2F                    jmp 00455B5E

we know from beta 2 that all we need to do to make it think it got permission is to
patch in at the start:
	mov eax, 00000001
	ret

so change file location (00055b15)
 from [558B EC51 894D] to [B801 0000 00C3]

-----------------------------------------------------------------------------

Okay, whew, no more phoning home!  Now the hard stuff....

-----------------------------------------------------------------------------









 
*****************************************************************************
************* PART 2 - RESTORING REALAUDIO RECORDING ABILITIES **************
*****************************************************************************

This took me almost a full week of work, if memory serves me correctly.
Usually restoring functions to programs is either trivially easy, if the
 programmer has just put in a flag to disable functions on a demo version,
 or virtually impossible, if the programmer has removed key procedures from
 compilation.
The restoration of RealAudio recording abilities to streambox vcr turned out
 to be a middle-of-the-road crack.  This was most definetly *not* a case of
 a flag to disable functions.  The code has been modified in several places
 to remove realaudio downloading without predjudice.  BUT, luckily for us,
 the important key procedures for recording realaudio are still in the code.
Basically, i spent a lot of time comparing the newer version of the code with
 the beta 2 version which included realaudio support, and figured out how to
 modify and splice in the small amounts of missing code which had been removed
 from the newer version.
I know these notes below don't help much.  If you really want to understand
 what i did, the easiest way is to examine the source code of the original
 and compare it to the cracked version.

-----------------------------------------------------------------------------

when we try to download an rtsp file it adds a line in the log window that says
"PNM/RTSP is not supported in current version", we search for this and find it at:
	* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
	|:00452FF7(C), :00453003(C)
	|
	* Possible StringData Ref from Data Obj ->"PNM/RTSP is not supported in current "
	                                        ->"version, trying HTTP connect"
                                  |
	:00453014 68E8E84E00              push 004EE8E8

so let's walk the cat back hope the rtsp code is hiding in there somewhere.

-----------------------------------------------------------------------------

:00452FF0 83BAC400000004          cmp dword ptr [edx+000000C4], 00000004
:00452FF7 741B                    je 00453014
:00452FF9 8B45C4                  mov eax, dword ptr [ebp-3C]
:00452FFC 83B8C400000010          cmp dword ptr [eax+000000C4], 00000010
:00453003 740F                    je 00453014
:00453005 8B4DC4                  mov ecx, dword ptr [ebp-3C]
:00453008 81B9C400000080000000    cmp dword ptr [ecx+000000C4], 00000080
:00453012 751A                    jne 0045302E

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00452FF7(C), :00453003(C)
|

* Possible StringData Ref from Data Obj ->"PNM/RTSP is not supported in current "
                                        ->"version, trying HTTP connect"
                                  |
:00453014 68E8E84E00              push 004EE8E8
:00453019 8B4DC4                  mov ecx, dword ptr [ebp-3C]
:0045301C E8F7170000              call 00454818
:00453021 8B55C4                  mov edx, dword ptr [ebp-3C]
:00453024 C782C400000001000000    mov dword ptr [ebx+000000C4], 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00453012(C)
|
:0045302E 8B45C4                  mov eax, dword ptr [ebp-3C]

Maybe all we can just remove the rtsp complaint and it will work?
we try patching in code at 00452FF0 a jump to 0045302E
 ie change file 00052FF0 from [83BA C400 0000 04] to [EB3C 9090 9090 90]

Unfortunately, it gets rid of the message about rtsp not supported,
 but generates a real error saying unknown protocol. NOT a good sign.

okay, before you start getting sad, let's see if we can't find some evidence of
 rtsp code in the program.  there is lot's of it.  lots of messages about rtsp server
 returning messages, etc., SO it looks like some of the code is still in there, we just have to
 figure out how to let it run.

-----------------------------------------------------------------------------

let's try noping this

:00453024 C782C400000001000000    mov dword ptr [ebx+000000C4], 00000001

to see if this is what changes it to try http
change file 00053024
 from [C782 C400 0000 0100 0000] to [9090 9090 9090 9090 9090]

Yes, this line is what makes it try http protocol instead of rtsp.
now as we said, simply noping this just gives us a protocol error, but now
 we have confirmed that we are looing for someone who peeks into [ebx+000000C4].

-----------------------------------------------------------------------------

After going over the code for a *long* time, and comparing new and old version of streambox vcr,
 we identify a fairly generic procedure which is call to initiate the download of each protocol.
It appears that a version of this generic code, customized for realaudio is missing in the new
 streambox vcr (actually two copies, each slightly customized for dif. realaudio protocols).
SO, what we will want to do is carve out some space in the new streambox vcr file and reconstruct
 these missing subroutines.

-----------------------------------------------------------------------------

Let's look at a generic routine we want to copy (this is ftp routine from file pos 000530D6)

:004530D6 68CC010000              push 000001CC				// customize for pnm/rtsp
:004530DB E8D97D0400              call 0049AEB9				// fixup
:004530E0 83C404                  add esp, 00000004
:004530E3 8945D8                  mov dword ptr [ebp-28], eax
:004530E6 C745FC01000000          mov [ebp-04], 00000001
:004530ED 837DD800                cmp dword ptr [ebp-28], 00000000
:004530F1 7411                    je 00453104
:004530F3 8B45C4                  mov eax, dword ptr [ebp-3C]
:004530F6 50                      push eax
:004530F7 8B4DD8                  mov ecx, dword ptr [ebp-28]
:004530FA E8C1390000              call 00456AC0				// fixup and redirect
:004530FF 8945AC                  mov dword ptr [ebp-54], eax
:00453102 EB07                    jmp 0045310B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004530F1(C)
|
:00453104 C745AC00000000          mov [ebp-54], 00000000

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00453102(U)
|
:0045310B 8B4DAC                  mov ecx, dword ptr [ebp-54]
:0045310E 894DDC                  mov dword ptr [ebp-24], ecx
:00453111 C745FCFFFFFFFF          mov [ebp-04], FFFFFFFF
:00453118 8B55C4                  mov edx, dword ptr [ebp-3C]
:0045311B 8B45DC                  mov eax, dword ptr [ebp-24]
:0045311E 898248010000            mov dword ptr [edx+00000148], eax
:00453124 6A01                    push 00000001
:00453126 6A21                    push 00000021

* Possible StringData Ref from Data Obj ->"FTP PROTOCOL"
                                  |
:00453128 6844E94E00              push 004EE944				// customize
:0045312D 8B4DC4                  mov ecx, dword ptr [ebp-3C]
:00453130 E805170000              call 0045483A				// fixup

* Possible StringData Ref from Data Obj ->"FTP"
                                  |
:00453135 6854E94E00              push 004EE954				// customize
:0045313A 8B4DC4                  mov ecx, dword ptr [ebp-3C]
:0045313D 81C1FC000000            add ecx, 000000FC
:00453143 E8D5780400              call 0049AA1D				// fixup
:00453148 E9E6000000              jmp 00453233				// fixup

-----------------------------------------------------------------------------

if this is the size of a proc, we need a minimum (more if we have to do long jumps)
  00453148
 -004530d6
 =========
  00000062 bytes
  
  and we need room for at least 2 (maybe 3) of these sections (1 for pnm, 1 for rtsp).

where are we going to find room for this?
well.... there is all that phone home code that is no longer needed... code 00420667 (file 00020667) 

We use Cool McCool's very cool utility, Opcode Generator to fixup the jumps in the newly created code segments.


-----------------------------------------------------------------------------

FIRST created code segment, we will use for rtsp (starts at file 00020667):

:00420667 68CC010000              push 000001CC					// fixed for rtsp
:0042066C E8D97D0400              call 0046844A					// 1) want 0049AEB9
:00420671 83C404                  add esp, 00000004
:00420674 8945D8                  mov dword ptr [ebp-28], eax
:00420677 C745FC01000000          mov [ebp-04], 00000001
:0042067E 837DD800                cmp dword ptr [ebp-28], 00000000
:00420682 7411                    je 00420695
:00420684 8B45C4                  mov eax, dword ptr [ebp-3C]
:00420687 50                      push eax
:00420688 8B4DD8                  mov ecx, dword ptr [ebp-28]
:0042068B E8C1390000              call 00424051					// 2) want 00456AC0
:00420690 8945AC                  mov dword ptr [ebp-54], eax
:00420693 EB07                    jmp 0042069C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00420682(C)
|
:00420695 C745AC00000000          mov [ebp-54], 00000000
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00420693(U)
|
:0042069C 8B4DAC                  mov ecx, dword ptr [ebp-54]
:0042069F 894DDC                  mov dword ptr [ebp-24], ecx
:004206A2 C745FCFFFFFFFF          mov [ebp-04], FFFFFFFF
:004206A9 8B55C4                  mov edx, dword ptr [ebp-3C]
:004206AC 8B45DC                  mov eax, dword ptr [ebp-24]
:004206AF 898248010000            mov dword ptr [edx+00000148], eax
:004206B5 6A01                    push 00000001
:004206B7 6A21                    push 00000021
* Possible StringData Ref from Data Obj ->"FTP PROTOCOL"
                                  |
:004206B9 6844E94E00              push 004EE944					//
:004206BE 8B4DC4                  mov ecx, dword ptr [ebp-3C]
:004206C1 E805170000              call 00421DCB					// 3) want 0045483A
* Possible StringData Ref from Data Obj ->"FTP"
                                  |
:004206C6 6854E94E00              push 004EE954					//
:004206CB 8B4DC4                  mov ecx, dword ptr [ebp-3C]
:004206CE 81C1FC000000            add ecx, 000000FC
:004206D4 E8D5780400              call 00467FAE					// 4) want 0049AA1D
:004206D9 E9E6000000              jmp 004207C4					// 5) want 00453233

then modify the messages from "FTP" to "RTSP"

-----------------------------------------------------------------------------

Summarizing the correct rtsp routine:
:00420667 68CC010000              push 000001CC
:0042066C E848A80700              call 0049AEB9
:00420671 83C404                  add esp, 00000004
:00420674 8945D8                  mov dword ptr [ebp-28], eax
:00420677 C745FC01000000          mov [ebp-04], 00000001
:0042067E 837DD800                cmp dword ptr [ebp-28], 00000000
:00420682 7411                    je 00420695
:00420684 8B45C4                  mov eax, dword ptr [ebp-3C]
:00420687 50                      push eax
:00420688 8B4DD8                  mov ecx, dword ptr [ebp-28]
:0042068B E830640300              call 00456AC0
:00420690 8945AC                  mov dword ptr [ebp-54], eax
:00420693 EB07                    jmp 0042069C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00420682(C)
|
:00420695 C745AC00000000          mov [ebp-54], 00000000
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00420693(U)
|
:0042069C 8B4DAC                  mov ecx, dword ptr [ebp-54]
:0042069F 894DDC                  mov dword ptr [ebp-24], ecx
:004206A2 C745FCFFFFFFFF          mov [ebp-04], FFFFFFFF
:004206A9 8B55C4                  mov edx, dword ptr [ebp-3C]
:004206AC 8B45DC                  mov eax, dword ptr [ebp-24]
:004206AF 898248010000            mov dword ptr [edx+00000148], eax
:004206B5 6A01                    push 00000001
:004206B7 6A21                    push 00000021
:004206B9 6845E94E00              push 004EE945
:004206BE 8B4DC4                  mov ecx, dword ptr [ebp-3C]
:004206C1 E874410300              call 0045483A
:004206C6 6855E94E00              push 004EE955
:004206CB 8B4DC4                  mov ecx, dword ptr [ebp-3C]
:004206CE 81C1FC000000            add ecx, 000000FC
:004206D4 E844A30700              call 0049AA1D
:004206D9 E9552B0300              jmp 00453233

-----------------------------------------------------------------------------

Okay, our plan is to put the pnm code at 004208CC (file 000208cc), which should be safe
 since it's code we bypass to aboid phoning home.

:004208CC 68CC010000              push 000001CC					// changedto pnm 01E8
:004208D1 E848A80700              call 0049B11E					// 1) want 0049AEB9
:004208D6 83C404                  add esp, 00000004
:004208D9 8945D8                  mov dword ptr [ebp-28], eax
:004208DC C745FC01000000          mov [ebp-04], 00000001
:004208E3 837DD800                cmp dword ptr [ebp-28], 00000000
:004208E7 7411                    je 004208FA
:004208E9 8B45C4                  mov eax, dword ptr [ebp-3C]
:004208EC 50                      push eax
:004208ED 8B4DD8                  mov ecx, dword ptr [ebp-28]
:004208F0 E830640300              call 00456D25					// 2) pnm at 0044C720
:004208F5 8945AC                  mov dword ptr [ebp-54], eax
:004208F8 EB07                    jmp 00420901

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004208E7(C)
|
:004208FA C745AC00000000          mov [ebp-54], 00000000

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004208F8(U)
|
:00420901 8B4DAC                  mov ecx, dword ptr [ebp-54]
:00420904 894DDC                  mov dword ptr [ebp-24], ecx
:00420907 C745FCFFFFFFFF          mov [ebp-04], FFFFFFFF
:0042090E 8B55C4                  mov edx, dword ptr [ebp-3C]
:00420911 8B45DC                  mov eax, dword ptr [ebp-24]
:00420914 898248010000            mov dword ptr [edx+00000148], eax
:0042091A 6A01                    push 00000001
:0042091C 6A21                    push 00000021
:0042091E 6845E94E00              push 004EE945					// fix message
:00420923 8B4DC4                  mov ecx, dword ptr [ebp-3C]
:00420926 E874410300              call 00454A9F					// 3) want 0045483A
:0042092B 6855E94E00              push 004EE955					// fix message
:00420930 8B4DC4                  mov ecx, dword ptr [ebp-3C]
:00420933 81C1FC000000            add ecx, 000000FC
:00420939 E844A30700              call 0049AC82					// 4) want 0049AA1D
:0042093E E9552B0300              jmp 00453498					// x5) want 00453233
:00420943 90                      nop

-----------------------------------------------------------------------------

Summarizing the corrected pnm routine:

:004208CC 68E8010000              push 000001E8
:004208D1 E8E3A50700              call 0049AEB9
:004208D6 83C404                  add esp, 00000004
:004208D9 8945D8                  mov dword ptr [ebp-28], eax
:004208DC C745FC01000000          mov [ebp-04], 00000001
:004208E3 837DD800                cmp dword ptr [ebp-28], 00000000
:004208E7 7411                    je 004208FA
:004208E9 8B45C4                  mov eax, dword ptr [ebp-3C]
:004208EC 50                      push eax
:004208ED 8B4DD8                  mov ecx, dword ptr [ebp-28]
:004208F0 E82BBE0200              call 0044C720
:004208F5 8945AC                  mov dword ptr [ebp-54], eax
:004208F8 EB07                    jmp 00420901
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004208E7(C)
|
:004208FA C745AC00000000          mov [ebp-54], 00000000
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004208F8(U)
|
:00420901 8B4DAC                  mov ecx, dword ptr [ebp-54]
:00420904 894DDC                  mov dword ptr [ebp-24], ecx
:00420907 C745FCFFFFFFFF          mov [ebp-04], FFFFFFFF
:0042090E 8B55C4                  mov edx, dword ptr [ebp-3C]
:00420911 8B45DC                  mov eax, dword ptr [ebp-24]
:00420914 898248010000            mov dword ptr [edx+00000148], eax
:0042091A 6A01                    push 00000001
:0042091C 6A21                    push 00000021
:0042091E 6847E94E00              push 004EE947
:00420923 8B4DC4                  mov ecx, dword ptr [ebp-3C]
:00420926 E80F3F0300              call 0045483A
:0042092B 6857E94E00              push 004EE957
:00420930 8B4DC4                  mov ecx, dword ptr [ebp-3C]
:00420933 81C1FC000000            add ecx, 000000FC
:00420939 E8DFA00700              call 0049AA1D
:0042093E E9F0280300              jmp 00453233

-----------------------------------------------------------------------------

okay, now we've built the 2 new routines, and we need to splice in the proper jumps in the
 main procedures.

-----------------------------------------------------------------------------

easiest place to rtsp jump would be to jmp to 00420667 from:
	* Possible StringData Ref from Data Obj ->"PNM/RTSP is not supported in current "
	                          	|       ->"version, trying HTTP connect"
	:00453014 68E8E84E00              push 004EE8E8                     (file 00053014)
	:00453019 8B4DC4                  mov ecx, dword ptr [ebp-3C]
	:0045301C E8F7170000              call 00454818
	:00453021 8B55C4                  mov edx, dword ptr [ebp-3C]
	:00453024 C782C400000002000000    mov dword ptr [ebx+000000C4], 00000002
and not worry about printing the above warning.
SO, what we want is:
	:00453014 E94ED6FCFF              jmp 00420667

-----------------------------------------------------------------------------

Okay, now we want to set up a dif. jump for pnm, so first patch the pnm cmp jump to dif.
location with main proc.  pnm code is #4 (rtsp is #10), so what we want is to change:
	:00452FF7 741B                    je 00453014
to	:00452FF7 7420                    je 00453019

then from 00453019 we jump to new pnm code:
	:00453019 E9AED8FCFF              jmp 004208CC (file 00053019)

-----------------------------------------------------------------------------

WORKS!!!!!!!!!!!!!
now when user tries to download an rtsp or pnm it jumps to our new code and does it.

-----------------------------------------------------------------------------

SECOND one, we will use for pnm:

* Referenced by a CALL at Addresses:
|:00401EB5   , :00401ED4   
|
:00420746 55                      push ebp

:00401EB5 E88CE80100              call 00420746 (file 00001eb5)
:00401ED4 E86DE80100              call 00420746 (file 00001ed4)

-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
Summarizing,
rtsp patch part 1:

we splice rtsp info ftp code:
in new file the ftp code starts here:
	:004530D6 68A4000000              push 000000A4
with the "special" call here:
	:004530FA E8617FFCFF              call 0041B060 (file 000530FA)
voila it becomes:
	:004530FA E8C1390000              call 00456AC0
	
-----------------------------------------------------------------------------

rtsp patch part 2:

old file rtsp pushes the constant 01C4
modify the push value here:
	?
change it to:
	:004530D6 68CC010000              push 000001CC
	
WORKS.  now rtsp works without crashing.

-----------------------------------------------------------------------------

pnm patch part 1:

let's splice pnm code into mms routine:
in new file, looks like the pnm code starts at (in old file pnm is at 00433e40):
	:0044C720 55                      push ebp
special call is here:
	:00453171 E8AAF7FCFF              call 00422920 (file 00053171)
so voila the patch into mms call becomes:
	:00453171 E8AA95FFFF              call 0044C720

again, this changes mms to pnm, at least at first, but then 
 it crashes like the rtsp patch (though it does try to dial out first)!
(note i have had to manually set file proprties to mms (tcp) to get it to try to call this.

-----------------------------------------------------------------------------

pnm patch part 2:

old file pnm pushes the constant 01DC
modify the push value at:
	:0045314D 68E8000000              push 000000E8 (file 0005314d)

indeed, if we patch in
	:0045314D 68E8010000              push 000001E8
	
WORKS! there is no more crash and pnm works!  same fix worked on rtsp.
 what the hell does this push constant do? (reserve memory?)

-----------------------------------------------------------------------------

-----------------------------------------------------------------------------
RTSP/PNM  protocol notes:

version 3.1 of streambox vcr identifies 3 kinds of rtsp/pnm streams which are not allowed (4,10,80):
	:00452FF0 83BAC400000004          cmp dword ptr [edx+000000C4], 00000004
	:00452FF7 741B                    je 00453014
	:00452FF9 8B45C4                  mov eax, dword ptr [ebp-3C]
	:00452FFC 83B8C400000010          cmp dword ptr [eax+000000C4], 00000010
	:00453003 740F                    je 00453014
	:00453005 8B4DC4                  mov ecx, dword ptr [ebp-3C]
	:00453008 81B9C400000080000000    cmp dword ptr [ecx+000000C4], 00000080
	:00453012 751A                    jne 0045302E
	* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
	|:00452FF7(C), :00453003(C)
	|
	* Possible StringData Ref from Data Obj ->"PNM/RTSP is not supported in current "
	                                |        ->"version, trying HTTP connect"
	:00453014 68E8E84E00              push 004EE8E8

but version 2 seems to have only 2 (rtsp, pnm), though they are not keyed to 04,10,80.

so one real question is, what is this new rtsp/pnm protocol in version 3.x,
 and should it be handled by the pnm splice, the rtsp splice, or a 3rd undiscovered one???
 i am inclined to believe that there is an extra hidden subroutine for handling this (!)
	
on the other hand, version 3.0 also uses 3 (though i thought initialiy it was only 2).
 but, it looks like it might treat #80 as a generically unsupported format,
 and if you look in 3.1 and 3.0 you will see prior movs which stick in 80, which
 again suggests this is a generic "unknown realaudio" format,
 which would suggest that this format type is not handleable, and that no secret code exists.

another question is, which numbers correspond to rtsp amd which to pnm?
 should be easy to check using trial and error and see which works on which.
-----------------------------------------------------------------------------









*****************************************************************************
************************** PART 3 - COSMETICS *******************************
*****************************************************************************

okay, now we want to fix up the messages they see to tell them rtsp, pnm are enabled.
Let's try as much as possible to be generic so we don't have to redo for newer versions.

1) we need to change the titlebar which currently says "(PNM/RTSP NOT SUPPORTED)"
    this text is at file location 00101C10 in unicode:
	"S.t.r.e.a.m.B.o.x. .V.C.R. .1...0. .B.e.t.a. .3...1. .(.P.N.M./.R.T.S.P. .N.O.T. .S.U.P.P.O.R.T.E.D.)."
    	hex: "530074007200650061006D0042006F0078002000560043005200200031002E00300020004200650074006100200033002E0031002000280050004E004D002F00520054005300500020004E004F005400200053005500500050004F0052005400450044002900"
    we change it to:
    	"S.t.r.e.a.m.B.o.x. .V.C.R. .1...0. .B.e.t.a. .3...1. .-. .F.l.y.i.n.g.R.a.i.c.h.u. .R.T.S.P./.P.N.M..."
    	hex: "530074007200650061006D0042006F0078002000560043005200200031002E00300020004200650074006100200033002E00310020002D00200046006C00790069006E006700520061006900630068007500200052005400530050002F0050004E004D000000"
    	
2) Now a patch for the about box:
    file location 000FC14A
	string "F.i.l.e. .T.r.a.n.s.f.e.r. .C.l.i.e.n.t. .f.o.r. .W.i.n.d.o.w.s. .9.5./.N.T"
	hex: "460069006C00650020005400720061006E007300660065007200200043006C00690065006E007400200066006F0072002000570069006E0064006F00770073002000390035002F004E0054"
    change to
    	string "F.l.y.i.n.g.R.a.i.c.h.u. .R.T.S.P./.P.N.M. .e.d.i.t.i.o.n. . . . .9.5./.N.T"
	hex: "46006C00790069006E006700520061006900630068007500200052005400530050002F0050004E004D002000650064006900740069006F006E002000200020002000390035002F004E0054"
	
3) Initial registration info message:
    file location 00101940 (careful there is another section in file with same begining)
	string "I.n. .o.r.d.e.r. .t.o. .u.s.e. .S.t.r.e.a.m.b.o.x. .V.C.R.,. .a.n.d. .s.i.n.c.e. .s.o.m.e. .s.t.r.e.a.m.s. .r.e.q.u.i.r.e. .p.e.r.m.i.s.s.i.o.n. .t.o. .r.e.c.o.r.d. .t.h.e.m.,. .y.o.u. .n.e.e.d. .t.o. .s.e.t. .u.p. .a. .S.t.r.e.a.m.b.o.x. .V.C.R. .A.c.c.o.u.n.t... .P.l.e.a.s.e. .f.i.l.l. .i.n. .a.l.l. .f.i.e.l.d.s.,. .u.s.i.n.g. .y.o.u.r. .r.e.a.l. .n.a.m.e. .a.n.d. .e.m.a.i.l. .a.d.d.r.e.s.s... . .T.h.e.n. .c.h.o.o.s.e. .a. .u.n.i.q.u.e. .p.a.s.s.w.o.r.d... . .Y.o.u. .w.i.l.l. .b.e. .a.b.l.e. .t.o. .u.s.e. .t.h.e. .s.a.m.e. .a.c.c.o.u.n.t. .o.n. .a.n.y. .s.e.c.o.n.d.a.r.y. .c.o.m.p.u.t.e.r.(.s.)... . .R.e.g.i.s.t.r.a.t.i.o.n. .i.n.f.o.r.m.a.t.i.o.n. .w.i.l.l. .b.e. .s.e.n.t. .t.o. .y.o.u. .b.y. .e.m.a.i.l."
	hex: "49006E0020006F007200640065007200200074006F0020007500730065002000530074007200650061006D0062006F00780020005600430052002C00200061006E0064002000730069006E0063006500200073006F006D0065002000730074007200650061006D0073002000720065007100750069007200650020007000650072006D0069007300730069006F006E00200074006F0020007200650063006F007200640020007400680065006D002C00200079006F00750020006E00650065006400200074006F002000730065007400200075007000200061002000530074007200650061006D0062006F007800200056004300520020004100630063006F0075006E0074002E00200050006C0065006100730065002000660069006C006C00200069006E00200061006C006C0020006600690065006C00640073002C0020007500730069006E006700200079006F007500720020007200650061006C0020006E0061006D006500200061006E006400200065006D00610069006C00200061006400640072006500730073002E00200020005400680065006E002000630068006F006F007300650020006100200075006E0069007100750065002000700061007300730077006F00720064002E002000200059006F0075002000770069006C006C002000620065002000610062006C006500200074006F00200075007300650020007400680065002000730061006D00650020006100630063006F0075006E00740020006F006E00200061006E00790020007300650063006F006E006400610072007900200063006F006D00700075007400650072002800730029002E002000200052006500670069007300740072006100740069006F006E00200069006E0066006F0072006D006100740069006F006E002000770069006C006C002000620065002000730065006E007400200074006F00200079006F007500200062007900200065006D00610069006C00"
    change to
        string "A.T.T.E.N.T.I.O.N.:. .t.h.e. .u.n.c.r.a.c.k.e.d. .v.e.r.s.i.o.n. .o.f.s.t.r.e.a.m.b.o.x. .v.c.r. .r.e.q.u.i.r.e.s. .y.o.u. .t.o. .r.e.g.i.s.t.e.r. .w.i.t.h. .a. .c.e.n.t.r.a.l. .s.e.r.v.e.r.,. .a.n.d. .q.u.e.r.i.e.s. .t.h.i.s. .s.e.r.v.e.r. .o.n. .e.a.c.h. .d.o.w.n.l.o.a.d. .a.t.t.e.m.p.t. .w.i.t.h. .t.h.i.s. .u.s.e.r. .i.n.f.o... .T.h.i.s. .c.r.a.c.k.e.d. .v.e.r.s.i.o.n. .d.o.e.s. .n.o.t. .c.o.n.v.e.r.s.e. .w.i.t.h. .t.h.e. .s.t.r.e.a.m.b.o.x. .s.e.r.v.e.r.,. .r.e.m.o.v.e.s. .a.l.l. .r.e.s.t.r.i.c.t.i.o.n.s. .o.n. .r.e.c.o.r.d.a.b.l.e. .c.o.n.t.e.n.t.,. .a.n.d. .r.e.s.t.o.r.e.s. .t.h.e. .a.b.i.l.i.t.y. .t.o. .r.e.c.o.r.d. .r.e.a.l.a.u.d.i.o. .R.T.S.P./.P.N.M. .s.t.r.e.a.m.s... .-.F.l.y.i.n.g.R.a.i.c.h.u. ."
        hex: "41005400540045004E00540049004F004E003A002000740068006500200075006E0063007200610063006B00650064002000760065007200730069006F006E0020006F006600730074007200650061006D0062006F0078002000760063007200200072006500710075006900720065007300200079006F007500200074006F0020007200650067006900730074006500720020007700690074006800200061002000630065006E007400720061006C0020007300650072007600650072002C00200061006E0064002000710075006500720069006500730020007400680069007300200073006500720076006500720020006F006E0020006500610063006800200064006F0077006E006C006F0061006400200061007400740065006D0070007400200077006900740068002000740068006900730020007500730065007200200069006E0066006F002E0020005400680069007300200063007200610063006B00650064002000760065007200730069006F006E00200064006F006500730020006E006F007400200063006F006E00760065007200730065002000770069007400680020007400680065002000730074007200650061006D0062006F00780020007300650072007600650072002C002000720065006D006F00760065007300200061006C006C0020007200650073007400720069006300740069006F006E00730020006F006E0020007200650063006F0072006400610062006C006500200063006F006E00740065006E0074002C00200061006E006400200072006500730074006F00720065007300200074006800650020006100620069006C00690074007900200074006F0020007200650063006F007200640020007200650061006C0061007500640069006F00200052005400530050002F0050004E004D002000730074007200650061006D0073002E0020002D0046006C00790069006E0067005200610069006300680075002000"
 
-----------------------------------------------------------------------------

Now a more complicated one.

4) at file location 000ee8e8 we have:

	"PNM/RTSP is not supported in current version, trying HTTP connect"
	hex: "504E4D2F52545350206973206E6F7420737570706F7274656420696E2063757272656E742076657273696F6E2C20747279696E67204854545020636F6E6E65637400"

   this string is no longer displayed since we patched over the code to display it.
   so we can use it for our own purposes.  we can use it to display the protocol
   name in our newly created procs.  So change the string to:

        "Flying Raichu PNM protocol. Flying Raichu RTSP protocol."
        hex: "466C79696E672052616963687520504E4D2070726F746F636F6C00466C79696E672052616963687520525453502070726F746F636F6C000000000000000000000000"
   

   Then we still need to patch the code to display these messages at the appropriate time.

	* Possible StringData Ref from Data Obj ->"PNM/RTSP is not supported in current "
	                                  |     ->"version, trying HTTP connect"
	:00453014 68E8E84E00              push 004EE8E8
	
   The above line tells us that our string starts at data location 004EE8E8 (bytecode e8e8 4e00).
   Then the second half is at 004EE8E8+ 1B  = 004E E903 (bytecode 03e9 4e00)
   
   Okay, so we want to plug in the first string into our created pnm code and the second into our
    constructed rtsp code.
    
   PNM:
   	* Possible StringData Ref from Data Obj ->"Flying Raichu PNM protocol"
	                                  |
	:0042091E 68E8E84E00              push 004EE8E8 (file 0042091e)
	* Possible StringData Ref from Data Obj ->"Flying Raichu PNM protocol"
	                                  |
	:0042092B 68E8E84E00              push 004EE8E8
   
   RTSP:
	:004206B9 6803E94E00              push 004EE903 (file 000206b9)
	:004206C6 6803E94E00              push 004EE903
	
-----------------------------------------------------------------------------









*****************************************************************************
************************** PART 3 - UNRESOLVED ******************************
*****************************************************************************

-----------------------------------------------------------------------------
10/2/00 Very interesting!
and wierd since the phone home address is 216.34.68.140
 (visualroute says this is exodus.net in seattle, washington)

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00424346(C)
|
:0042434C 6A50                    push 00000050

* Possible StringData Ref from Data Obj ->"207.46.130.45"
                                  |
:0042434E 68D0CD4E00              push 004ECDD0
:00424353 8B4DFC                  mov ecx, dword ptr [ebp-04]
:00424356 83C140                  add ecx, 00000040
:00424359 E8BA970300              call 0045DB18
:0042435E 85C0                    test eax, eax
:00424360 750F                    jne 00424371

* Possible StringData Ref from Data Obj ->"Error connecting to daddy"		<------------- huh?
                                  |
:00424362 68E0CD4E00              push 004ECDE0

wierd!! - 207.46.130.45 is MICROSOFT in redmond, washington.  What is going on?
-----------------------------------------------------------------------------

