CompuPic Cracking

Project 11 - April 26, 1999

+=widY@cL 2011=+

from newbie to another

Tools used	: W32dasm 8.93 - Hiew 6.04
Target	: CompuPic 4.50 build 979
Homepage	: http://www.photodex.com

CompuPic is a high performance, easy to use digital content manager distributed exclusively online by Photodex. Digital Content Managers enable graphic and web designers, digital photography enthusiasts and business and home users to efficiently acces and manage digital content stored across a single hard drive or across a network.

Ok .. run the program .. aah we have a trial message .. skip it .. this time we're not gonna find out the correct password .. 'coz we have more interesting way to registering this program .. now look at the title bar .. you should see ' Evaluation Copy ' .. this text won't show up if we are a registered user right ?! .. heh a good hint don't you think ?! .. let's dissasemble compupic.exe .. find the text in SDR .. waah it's not in here ! .. now dissasemble if.dnt .. wait ... wait .. done .. ok find the text in SDR .. double kick on it :

10004B57	E824B30200	call 1002FE80	; we must return from this call with EAX=1
10004B5C	85C0	test eax, eax	; ands 1 with 1 result 1 ( zero flag not set)
10004B5E	753A	jne 10004B9A	; so we'll jump to 10004B9A (good routine)
* Possible StringData Ref from Data Obj ->" - Evaluation Copy"

Now let's take a look what's inside the CALL .. snip .. snip .. aah here is the interesting parts :

* Reference To: if._ReadRegVal@12

1002FEBD	E86EE5FFFF	call 1002E430
1002FEC2	85C0	test eax, eax
1002FEC4	0F858F000000	jne 1002FF59	; we should nop this jump
1002FECA	6639742408	cmp word ptr [esp+08], si
1002FECF	0F8584000000	jne 1002FF59	; nop
1002FED5	668B44240A	mov ax, word ptr [esp+0A]
1002FEDA	660344240C	add ax, word ptr [esp+0C]
1002FEDF	668B0DBC630A10	mov cx, word ptr [100A63BC]
1002FEE6	6603442408	add ax, word ptr [esp+08]
1002FEEB	662944240E	sub word ptr [esp+0E], ax
1002FEF0	66394C240E	cmp word ptr [esp+0E], cx
1002FEF5	7562	jne 1002FF59	; nop
1002FEF7	668B44240E	mov ax, word ptr [esp+0E]
1002FEFC	662944240A	sub word ptr [esp+0A], ax
1002FF01	662944240C	sub word ptr [esp+0C], ax
1002FF06	8B4C240C	mov ecx, dword ptr [esp+0C]
1002FF0A	51	push ecx
1002FF0B	E8C0EFFFFF	call 1002EED0
1002FF10	83C404	add esp, 00000004
1002FF13	8BF8	mov edi, eax
1002FF15	E876F1FFFF	call 1002F090
1002FF1A	2BF8	sub edi, eax
1002FF1C	783B	js 1002FF59	; nop
1002FF1E	8B44240A	mov eax, dword ptr [esp+0A]
1002FF22	50	push eax
1002FF23	E8A8EFFFFF	call 1002EED0
1002FF28	83C404	add esp, 00000004
1002FF2B	8BF8	mov edi, eax
* Reference To: KERNEL32.GetTickCount, Ord:0130h
1002FF2D	FF1560470B10	Call dword ptr [100B4760]
1002FF33	2B05B8630A10	sub eax, dword ptr [100A63B8]
1002FF39	B9E8030000	mov ecx, 000003E8
1002FF3E	2BD2	sub edx, edx
1002FF40	F7F1	div ecx
1002FF42	2BF8	sub edi, eax
1002FF44	2B3D40180B10	sub edi, dword ptr [100B1840]
1002FF4A	780D	js 1002FF59	; nop
1002FF4C	B801000000	mov eax, 00000001	; coz we must reach this lovely code !
1002FF51	5F	pop edi
1002FF52	5E	pop esi
1002FF53	83C414	add esp, 00000014
1002FF56	C20C00	ret 000C

Fire up Hiew .. open if.dnt .. and make the following changes :

OFFSET	ORIGINAL BYTES	CRACKED BYTES

2F2C4	0F858F000000	0F8500000000
2F2CF	0F8584000000	0F8500000000
2F2F5	7562	7500
2F31C	783B	7800
2F34A	780D	7800

Now run the program .. BOOM .. it's fully registered .. yep another 3 minutes cracking .. and once again cracking without using debugger !!!

You can write your nick name in the title bar by selecting Help - Enter Password .. put your name and any entry for the rest .. push Register Your Password .. [OK] .. repeat this few times ) .. your name should be written in the title bar when you re-run the program. Program settings stored in system registry : HKEY_CLASSES_ROOT\CompuPic

Let me know if you have any comments : widya2011@hotmail.com