--
ESTUDIO COLECTIVO DE DESPROTECCIONES | ||
![]() |
WKT Tutorialz Site | ![]() |
![]() |
![]() |
![]() |
Program | Ulead PhotoImpact v4.12 | W95 / W98 / NT |
Description | Image editor | |
Url | http://www.ulead.com | |
Protections | Trial / Nag | |
Level | 1) Beginner, 2) Intermediate, 3) Advanced, 4) Profesional, 5) Expert | |
Tools | SoftICE v3.25, W32Dasm v8.9, UltraEdit v6.10a | |
Target | How to avoid NagScreens and a 30 day time limit | |
Cracker | Mr.WhiTe [WkT!] | |
Date | 07/30/99 |
Introduction |
This is a very good program to manipulate your image files. With some
cool features. Try it! Well, with this tutorial you will learn how to avoid a Nag Screen in an easy way, and how to remove a time limit. The protection is inside U32cfg.dll.
This tutorial was originally written in Spanish
and this translation could be inaccurate. |
Here we go! |
Start the program and you'll notice it's a 30 day trial scheme, without any
disabled options. It also has an ugly nag screen "dialogboxparama". First of all, we are gonna kill that ugly nag screen. So, we set the first breakpoint in our beloved SoftICE. Write "BPX dialogboxparama", press F11 and then press the "Try More!" button. We'll land here: * Reference To: USER32.DialogBoxParamA, Ord:008Eh | :4EB066CD FF15F4A3B14E CALL DWORD PTR [4EB1A3F4] :4EB066D3 898590FDFFFF MOV DWORD PTR [EBP+FFFFFD90], EAX * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:4EB066A2(C), :4EB066AB(C) | * Possible Reference to Dialog: DialogID_0001 | :4EB066D9 B801000000 MOV EAX, 00000001 :4EB066DE E935010000 JMP 4EB06818To avoid the Nag Screen just change: :4EB066CD FF15F4A3B14E CALL DWORD PTR [4EB1A3F4] To :4EB066CD 909090909090 |
Now, the 30 days time limit. |
So set your system clock at least 30 days ahead. Now start PhotoImpact. It will display another ugly dialog box. Oh!, what a surprise!!! It's another "dialogboxparama" !!! Welcome back to SoftICE and we set the second breakpoint (or just enable the first one again) "BPX dialogboxparama". Now look where we are. * Reference To: USER32.GetActiveWindow, Ord:00D5h | :4EB0671F FF15C0A3B14E CALL DWORD PTR [4EB1A3C0] :4EB06725 50 PUSH EAX * Possible Reference to Dialog: DialogID_0066 | :4EB06726 6A66 PUSH 00000066 :4EB06728 8B0D0C47B24E MOV ECX, DWORD PTR [4EB2470C] :4EB0672E 51 PUSH ECX * Reference To: USER32.DialogBoxParamA, Ord:008Eh | :4EB0672F FF15F4A3B14E CALL DWORD PTR [4EB1A3F4] :4EB06735 89858CFDFFFF MOV DWORD PTR [EBP+FFFFFD8C], EAX :4EB0673B 83BD8CFDFFFF2A CMP DWORD PTR [EBP+FFFFFD8C], 0000002A :4EB06742 751D JNZ 4EB06761 If you compare this code snippet with the last one, you'll notice that in the first code snippet there were just the following instructions more: :4EB066D9 B801000000 MOV EAX, 00000001 <-- Interesting! :4EB066DE E935010000 JMP 4EB06818In the first code snippet, EAX is assigned the value 1 and then there is a JMP to :4EB06818. In the second code snippet (trial period expired), [EBP+FFFFFD8C] is compared to 2A and, if they are not equal it will jump to :4EB06761. * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:4EB06716(C), :4EB06742(C) | :4EB06761 33C0 XOR EAX, EAX <-- Bad idea! :4EB06763 E9B0000000 JMP 4EB06818So, we have to assign the value 1 to EAX and also it should jump to :4EB06818. Open the file u32cfg.dll with your favourite hex editor (UltraEdit for example) and modify the following bytes: :4EB0672F FF15F4A3B14E CALL DWORD PTR [4EB1A3F4] :4EB06735 89858CFDFFFF MOV DWORD PTR [EBP+FFFFFD8C], EAX We search "FF15F4A3B14E89858CFD" and we change it to: "B801000000E9B0000000" So, we'll have this: :4EB0672F B801000000 MOV EAX, 00000001 :4EB06735 E9B0000000 JMP 4EB06818Voilá! It's done. Do I really have to remind you the purpose of this cracking tutorial? NOTE FOR THE READER: This essay could contain mistakes (maybe the author skipped some steps, maybe wrong memory addresses....etc) .
The purpose is that you should learn to "think like a cracker". *------------------* |WHISKEY KON TEKILA| |Mr.WhiTe [WkT!99] | |http://wkt.tsx.org| |http://ecd.tsx.org| *------------------* |