Before we begin, first make a backup of nero.exe and call it nero.exe.bak

**Always make backups: it means if we mess something up, we have a nice fresh copy to go back to.**

You'll also need to download a copy of URSoft's W32Dasm. W32Dasm is very clean and only needs unzipping to run.

Now, open nero.exe in Resource Hacker, change a string, save, compile and run the .exe. Error message appears. Note what the error message says for future reference. I've noted "file was modified."

Open W32Dasm. To begin, we need to load nero.exe to be disassembled, so go to menu option Disassembler/Open File to Disassemble.. (top right) and select nero.exe.

(Nero is quite big with alot of calls to external dll's so this is going to take some time to load. Be patient.)

Now that it has loaded, some buttons that were previously grayed out will now be functional. You may be thinking "But what is this I am looking at?" You will need to change the default font. Go to menu option Disassembler/Font.../Select Font. I suggest Courier New/Regular/8. You can save this as the default font under Disassembler/Font.../Save Default Font.

You should now be looking at something like this:

Note the two boxes I've highlighted in red. Imported Functions and String Data References. Imports and Strings. These buttons are useful to us as a quick way to find things out.

Click the button for Strings, and a window will appear. For some programs this list is quite short, but for Nero its quite long, too tedious to scroll through, so we'll use the Search function instead. Close the Strings window. Select "Search" from the menu and enter in portion of the string. Earlier I noted "file was modified" from the error message so I will enter that.

You should now be looking at a highlighted line, saying something like:

* Possible Reference to String Resource ID=04189: "The Nero executable file was modified!"

Slowly scroll the window up using the arrow key, what we are looking for is the last instance of an Unconditional Jump, nearest to the string we searched for.

Stop when you've found it. It should look something like this (As I pointed out at the beginning of this tutorial, some of the values are likely to vary depending on what version of Nero you are working with):

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005B4ACF(C)
|
:005B4AF9	39BBC0020000	cmp dword ptr [ebx+000002C0], edi
:005B4AFF	751D	jne 005B4B1E
:005B4B01	E80408000	call 005B530A
:005B4B06	83F03	cmp eax, 00000003
:005B4B09	7513	jne 005B4B1E

The values of we want to change are right here. To understand what we are changing and why, we need to learn a little ASM, or assembly language. (Its beyond the scope of this tutorial to cover ASM in full, but hopefully you will find the reference below useful.) From this reference (thanks Sweet Angel) two functions we are interested in are jne and je:

Hex	ASM	Meaning
EB	jmp	jump
90	nop	no operation
75 or 0F85	jne	jump if not equal
74 or 0F84	je	jump if equal
77 or 0F87	ja	jump if above
0F86	jna	jump if not above
0F83	jae	jump if above or equal
0F82	jb	jump if below
0F83	jnb	jump if not below
0F86	jbe	jump if below or equal
0F8F	jg	jump if greater
0F8E	jng	jump if not greater
0F8D	jge	jump if greater or equal
0F8C	jl	jump if less
0F8D	jnl	jump if not less
0F8E	jle	jump if less or equal

Going back to our search in W32Dasm, we can see from the ASM reference that jne's can have a byte value of 75:

The information we're interested in is in the red box. See the two instances of 75? We need to change these bytes to 74 with a hex editor. Note their addresses in the far left. We can input those addresses directly into Hiew. For the first jne in the example above, the address we would enter is .005B4AFF. If you prefer not to use Hiew you can use your favorite hex editor instead - W32Dasm can give us hexidecimal offsets too. (I recommend Hexplorer as its free and very usable.)

Use the arrow keys to scroll to each line with the jne, you'll notice in the status bar of W32Dasm something like this (again, the addresses will be different depending on which version of nero you are working with):

Line:885118 Pg 17703 of 29307 Code Data @:005B4AFF @Offset 001B4AFFh in File:NERO.EXE

To make it clearer I've put the information we want in bold text. Remember the h at the end of 001B4AFFh indicates this is a hexidecimal offset. On entering this Offset (don't include the h) into your hex editor, you should have the cursor on a 75 depending on what kind of hex editor you have. On my version of Nero (Nero Express 6.0.0.27) I only had to change these two bytes, and ZmAn3 found with the latest version of Nero (6.6.0.6) theres only the one instance to change, at address .00628B31.

~Serenity