Cracking Tutorial for Ulead Photo Express 2.0

Cracking Tutorial for Ulead Photo Express 2.0

Before we start, please read the Disclaimer section of this essay!
Coders from Photo Express, click here!

Target Program:	Ulead Photo Express 2.0
Description:	Photo Express 2.0 is the new cool tool for expressing your creativity with pictures of your family and friends! Photo Express is the ultimate tool for adding that extra spark of life to your photos - it gives you the power to take ordinary, everyday pictures and turn them into high-quality works of art. With its guided workflow and intuitive interface, you'll be cranking out personalized birthday cards, calendars, and posters in no time at all!
Location:	http://www.ulead.com (also published on many CDs - like Shareware Light) If you prefer a FTP-Search, look for PE2T.EXE (22806016 Bytes).
Protections:	Time Limited / NAG
Tools needed:	- SoftICE 3.2x
	- Hex Editor (I like Hacker's View)
Ob duh:	Do I really have to remind you all that by BUYING and NOT stealing the software you use will ensure that these software houses will continue to produce even better software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems. If you're looking for cracks or serial numbers from these pages then your wasting your time, try to search elsewhere on the Web under Warez, Cracks, etc.
Level:	(X)Beginner ( )Intermediate ( )Advanced ( )Expert

The first step to crack a program is usually to check what type of protection it has. Then we decide how we can crack that program. So, let's have a look at the dialog box that was displayed as we've started Photo Express:

Since we have to push the "Try More!"-Button to start the program, we call this a NAG-Screen. The next thing we've to decide is if it's a Standard-NAG or an Advanced-NAG. Since this tutorial is written for a Newbie, I don't think you've enough experience to decide what type of a NAG it is; so I just wanna tell you, that NAGs are mostly no Standard-NAGs (a dialog box with just a button like "I agree" - and a small icon and NO other images) - like this one.
As you might already have seen from the titel of the NAG, Photo Express has a second, it's real protection: it's Time Limited; so press the "Try More!"-Button and exit Photo Express. Before we crack the Time Limit, we should crack the NAG, so that we don't have to press the "Try More!"-Button any longer.
If you've already cracked some Advanced-NAGs you know what breakpoints in SoftICE you have to set now. If you haven't got this knowledge, it might help you reading Part 06: "Window Generating" of the cRACKER's n0TES.
Let's start the cracking session: Enter SoftICE by pressing CTRL-D (if you haven't changed the Standard-Keys) and set a BreakPoint on Execution to DialogBoxParamA (because it's a Advanced-NAG). After you've pressed F11 and then pressed the "Try More!"-Button, you'll get the following code:

`:4EB066AE`	`FF15C0A3B14E`	`CALL [USER32!GetActiveWindow]`
`:4EB066B4`	`50`	`PUSH EAX`
`:4EB066B5`	`6A66`	`PUSH 66`
`:4EB066B7`	`8B0D0C47B24E`	`MOV ECX,[4EB2470C]`
`:4EB066BC`	`51`	`PUSH ECX`
`:4EB066BD`	`FF15F4A3B14E`	`CALL [USER32!DialogBoxParamA]`
`:4EB066C3`	`89858CFDFFFF`	`MOV [EBP-0274],EAX`
`:4EB066C9`	`B801000000`	`MOV EAX,00000001`
`:4EB066CE`	`E935010000`	`JMP 4EB06808`

So we can crack the NAG by simply removing the CALL to DialogBoxParamA? - Yes. So clear all Breakpoints by typing BC * and set a BPX to the DialogBoxParamA-Line and restart Photo Express. Then type "A" in SoftICE to assemble some instructions:

   NOP <ENTER>
   NOP <ENTER>
   NOP <ENTER>
   NOP <ENTER>
   NOP <ENTER>
   NOP <ENTER>
   <ENTER>

Now return to Windows (CTRL-D) and take a look at the result of your Memory-Crack for the NAG-Screen. The NAG-Crack is nearly done, we just have to patch the file that generated the NAG. SoftICE displayed the 'info' that we're in IPE20.EXE - as I couldn't find this in IPE20.EXE, I decided to use the knowledge I got from other Ulead cracks (U32CFG.DLL is *the* DLL).
So I searched for B801000000E935010000 in U32CFG.DLL - and found it. So simply run HIEW and search for

FF15F4A3B14E898590FDFFFF

and replace it with

909090909090898590FDFFFF

Now we've removed the NAG-Screen - if we're in the Trial Period. The next step would be to remove the Time Limit - so set your system clock at least 30 days ahead. Now start Photo Express. The following dialog box will be displayed:

So far so good. We now have to crack it's *real* protection: the 30-day-Time-Limit. Since this DialogBox looks like the first one, we can set a BPX to DialogBoxParamA. So set a BPX to DialogBoxParamA and restart Photo Express. After you've pressed F11 and then pressed the "OK"-Button, you'll get the following code:

`:4EB0670F`	`FF15C0A3B14E`	`CALL [USER32!GetActiveWindow]`
`:4EB06715`	`50`	`PUSH EAX`
`:4EB06716`	`6A66`	`PUSH 66`
`:4EB06718`	`8B0D0C47B24E`	`MOV ECX,[4EB2470C]`
`:4EB0671E`	`51`	`PUSH ECX`
`:4EB0671F`	`FF15F4A3B14E`	`CALL [USER32!DialogBoxParamA]`
`:4EB06725`	`89858CFDFFFF`	`MOV [EBP-0274],EAX`
`:4EB0672B`	`83BD8CFDFFFF2A`	`CMP DWORD PTR [EBP-0274],2A`
`:4EB06732`	`751D`	`JNZ 4EB06751`

If you compare this code snippet with the last one, you'll recognize that in code snippet 1 there are just the following instructions more:

`:4EB066C9`	`B801000000`	`MOV EAX,00000001`
`:4EB066CE`	`E935010000`	`JMP 4EB06808`

Code snippet 1:
EAX is assigned the value 1. Then there's a JMP to 4EB06808.

Code snippet 2:
There's a JMP to 4EB06751 - if EBP-0274 isn't 2A, which means "Order now!"-Button pressed.

Well, what we could do now is really simple: We can just overwrite the DialogBoxParamA-Function from Code snippet 2 with:

MOV EAX,00000001

JMP 4EB06808

Then Photo Express won't expire. So set a BPX to DialogBoxParamA in SoftICE and restart Photo Express. Press F11 and you'll get the code of code snippet 2. Now set a BPX on the DialogBoxParam-Line and restart Photo Express.
After SoftICE pops-up at the DialogBoxParamA-Line, type "A" in SoftICE to assemble some instructions:

   MOV EAX,1 <ENTER>
   JMP 4EB06808 <ENTER>
   <ENTER>

SoftICE will then display the following code:

`:4EB0670F`	`FF15C0A3B14E`	`CALL [USER32!GetActiveWindow]`
`:4EB06715`	`50`	`PUSH EAX`
`:4EB06716`	`6A66`	`PUSH 66`
`:4EB06718`	`8B0D0C47B24E`	`MOV ECX,[4EB2470C]`
`:4EB0671E`	`51`	`PUSH ECX`
`:4EB0671F`	`B801000000`	`MOV EAX,00000001`
`:4EB06724`	`E9DF000000`	`JMP 4EB06808`
`:4EB06729`	`FFFF`	`INVALID`
`:4EB0672B`	`83BD8CFDFFFF2A`	`CMP DWORD PTR [EBP-0274],2A`
`:4EB06732`	`751D`	`JNZ 4EB06751`

Now Photo Express will start as if it hasn't already expired. We just have to run HIEW and search for

FF15F4A3B14E89858CFD

and replace it with

B801000000E9DF000000

... Photo Express successfully cracked!

If you're USING Photo Express BEYOND it's FREE TRIAL PERIOD, then please BUY IT.

Coders from Photo Express: I don't think it's that clever just to set a flag if you're in the trial period or not. I would recommend to set the flag once to fake us crackers and once to check if we're in the trial period. Also I would erase some files, etc. if the trial period is over, so that it *isn't* possible to restore the trial period. BTW, Photo Express was a so called "5-Minutez-Crack" - I hope you'll understand that I'm trying to tell you that you should improve the protection of your mostly great programs.

Disclaimer: This essay is for educational purposes only. Any use, misuse or illegal activity is the sole responsibility of the reader! I take no responsibility of the usage of this information!

Info: Brand and product names are trademarks or registered trademarks of their respective holders.

Back to Students Essay's