HOW TO CRACK ULEAD PHOTO IMPACT 5 30-DAY TRIAL!

Tutorial by UmE

Introduction: in this tutorial I'll show you how to remove the time limit from Ulead Photo 
Impact 5 Trial. As you know in time limit cracking you search for a comparison with the 1Eh
value (30 in decimal). In this program the authors have tried to complicate a little bit the
target demanding the time limit check to few calls evryone of which return 1 or 0 depending if
the trial period is ok or is over. The scheme is very simple:

						push [argoment]
						push [argoment]
							....
						call [address]
							....
						test eax, eax
						jz [address]

It's a typical scheme often used also in serial protected programs. In 99,99% of the cases if
the return value of the call is 1 (eax=1) so you're OK otherwise something is wrong!

Necessary tools: SoftIce 3.24 or better.

Program description: Ulead Photo Impact 5 Trial, Iedit.exe, 3.166.208 bytes.

PARENTAL ADVISORY: this tutorial is cracking oriented!!!

Step1: when you run the program for the first time you'll se that all it's ok (except that
annoying nag screen that we'll kill). Close the program and move your system date 30 or more 
days over the installation date. You'll see now that running the program a message box will 
appear with the following written: "The 30-day trial period has expired. Please update to the 
full version".
If you note the caption of this messagebox is "u32Cfg"....mmm what is it? We'll see it later...

Step2: open SoftIce pressing Ctrl+D and place a breakpoint on the GetSystemTime function. Close
SoftIce (Ctrl+D again) and run the program.....after few seconds you're in SI again!! You're
now on the first instruction inside the GetSystemTime function: press F11 to return to the piece 
of code that has called this API...you'll land here:

:4EB0473C FF15E880B04E            Call dword ptr [4EB080E8]		<- GetSystemTime
:4EB04742 8B4C2400                mov ecx, dword ptr [esp]		<- Move the value 7D0 in ecx
:4EB04746 81E1FFFF0000            and ecx, 0000FFFF			<- Clear ch
:4EB0474C 51                      push ecx				<- Push ecx in the stack
:4EB0474D E84EFFFFFF              call 4EB046A0				<- Elaborates it
:4EB04752 83C404                  add esp, 00000004			<- Tidy up the stack
:4EB04755 85C0                    test eax, eax				<- Test eax (eax=1 in this case)
:4EB04757 7407                    je 4EB04760				<- Jump if eax=0

What can we see from this code snippet? This is a check to see if the user has changed the
year of the system date. In fact the program push ecx (7D0h=2000dec the actual year!!) into the
stack and call a function to elaborate it. The result is eax=1 so all has gone well!! Let's
continue with the traceing...You'll see during your trace some calls to API functions that read
from the windows registry (RegQueryValueExA...): don't mind to the "test eax, eax" instruction 
after them because they're only checks to verify that the operation has gone well: continue to 
trace because we're searching for some interessant test!! At a certain point you'll see this:

:4EB06B14 8D54243C                lea edx, dword ptr [esp+3C]	<- Moves esp+3c in edx
:4EB06B18 8D442434                lea eax, dword ptr [esp+34]	<- Moves esp+34 in eax (esp+34=1Eh=30dec!!)
:4EB06B1C 52                      push edx				<- Push edx into the stack
:4EB06B1D 50                      push eax				<- Push eax into the stack
:4EB06B1E 686CA8B04E              push 4EB0A86C				<- Push something else
:4EB06B23 E888DFFFFF              call 4EB04AB0				<- Elaborates them
:4EB06B28 83C40C                  add esp, 0000000C			<- Tidy up the stack
:4EB06B2B 85C0                    test eax, eax				<- Test if eax=0 (in this case eax=1)
:4EB06B2D 0F8419010000            je 4EB06C4C				<- Jump if eax=0

This code snippet is very interessant because we've seen that here the program push the value 
1Eh into the stack and elaborates it. The result of the call is eax=1 so we can think that all
has gone well. Come on guys let's continue....another test, the same filosofy!

:4EB06D0A 52                      push edx
:4EB06D0B 6808040000              push 00000408
:4EB06D10 E84BCCFFFF              call 4EB03960
:4EB06D15 83C408                  add esp, 00000008
:4EB06D18 85C0                    test eax, eax			<- Eax=1 it's all ok!
:4EB06D1A 7515                    jne 4EB06D31

After few instruction from this point you'll arrive here:

:4EB06D31 8B442438                mov eax, dword ptr [esp+38]	<- Move esp+38 in eax
:4EB06D35 85C0                    test eax, eax				<- Test eax. In this case eax=0
:4EB06D37 74E7                    je 4EB06D20				<- jump if eax=0

In this case something has gone wrong. Let's try to change the je in jne and let's see but 
take a look always to eax because it can be used later for another check from the program. 
Press F10 to continue to trace and the initial nag screen will appear telling you that your
30-day trial period is expired: something has changed because there's no more the u32Cfg
messagebox! Nopping the call that we've just execute will kill the nag screen.
Ok let's continue on this road....we will not find nothing of interessant until we land in the
Iedit.exe module. The first instruction that we found here is another test eax, eax (in this 
case eax=0)...could it be another check to see if the trial period is over? Try to nop the
following conditional jump and...BOOM! The main window of the program will appear!! Yeah! We
have thought right!! 
What we've seen in this tut is a typical scheme used in commercial protection such like VBox
or Rsagnt32.dll where the main program demand to a dll the routine to check the time limit and
then makes itself another check to increase the possibility of jokeing who try to crak it!

I hope this tut could be useful for someone.

Bye, UmE!

Contact me at: ume15@hotmail.com.