HOW TO CRACK ULEAD PHOTO IMPACT 5 30-DAY TRIAL! Tutorial by UmE Introduction: in this tutorial I'll show you how to remove the time limit from Ulead Photo Impact 5 Trial. As you know in time limit cracking you search for a comparison with the 1Eh value (30 in decimal). In this program the authors have tried to complicate a little bit the target demanding the time limit check to few calls evryone of which return 1 or 0 depending if the trial period is ok or is over. The scheme is very simple: push [argoment] push [argoment] .... call [address] .... test eax, eax jz [address] It's a typical scheme often used also in serial protected programs. In 99,99% of the cases if the return value of the call is 1 (eax=1) so you're OK otherwise something is wrong! Necessary tools: SoftIce 3.24 or better. Program description: Ulead Photo Impact 5 Trial, Iedit.exe, 3.166.208 bytes. PARENTAL ADVISORY: this tutorial is cracking oriented!!! Step1: when you run the program for the first time you'll se that all it's ok (except that annoying nag screen that we'll kill). Close the program and move your system date 30 or more days over the installation date. You'll see now that running the program a message box will appear with the following written: "The 30-day trial period has expired. Please update to the full version". If you note the caption of this messagebox is "u32Cfg"....mmm what is it? We'll see it later... Step2: open SoftIce pressing Ctrl+D and place a breakpoint on the GetSystemTime function. Close SoftIce (Ctrl+D again) and run the program.....after few seconds you're in SI again!! You're now on the first instruction inside the GetSystemTime function: press F11 to return to the piece of code that has called this API...you'll land here: :4EB0473C FF15E880B04E Call dword ptr [4EB080E8] <- GetSystemTime :4EB04742 8B4C2400 mov ecx, dword ptr [esp] <- Move the value 7D0 in ecx :4EB04746 81E1FFFF0000 and ecx, 0000FFFF <- Clear ch :4EB0474C 51 push ecx <- Push ecx in the stack :4EB0474D E84EFFFFFF call 4EB046A0 <- Elaborates it :4EB04752 83C404 add esp, 00000004 <- Tidy up the stack :4EB04755 85C0 test eax, eax <- Test eax (eax=1 in this case) :4EB04757 7407 je 4EB04760 <- Jump if eax=0 What can we see from this code snippet? This is a check to see if the user has changed the year of the system date. In fact the program push ecx (7D0h=2000dec the actual year!!) into the stack and call a function to elaborate it. The result is eax=1 so all has gone well!! Let's continue with the traceing...You'll see during your trace some calls to API functions that read from the windows registry (RegQueryValueExA...): don't mind to the "test eax, eax" instruction after them because they're only checks to verify that the operation has gone well: continue to trace because we're searching for some interessant test!! At a certain point you'll see this: :4EB06B14 8D54243C lea edx, dword ptr [esp+3C] <- Moves esp+3c in edx :4EB06B18 8D442434 lea eax, dword ptr [esp+34] <- Moves esp+34 in eax (esp+34=1Eh=30dec!!) :4EB06B1C 52 push edx <- Push edx into the stack :4EB06B1D 50 push eax <- Push eax into the stack :4EB06B1E 686CA8B04E push 4EB0A86C <- Push something else :4EB06B23 E888DFFFFF call 4EB04AB0 <- Elaborates them :4EB06B28 83C40C add esp, 0000000C <- Tidy up the stack :4EB06B2B 85C0 test eax, eax <- Test if eax=0 (in this case eax=1) :4EB06B2D 0F8419010000 je 4EB06C4C <- Jump if eax=0 This code snippet is very interessant because we've seen that here the program push the value 1Eh into the stack and elaborates it. The result of the call is eax=1 so we can think that all has gone well. Come on guys let's continue....another test, the same filosofy! :4EB06D0A 52 push edx :4EB06D0B 6808040000 push 00000408 :4EB06D10 E84BCCFFFF call 4EB03960 :4EB06D15 83C408 add esp, 00000008 :4EB06D18 85C0 test eax, eax <- Eax=1 it's all ok! :4EB06D1A 7515 jne 4EB06D31 After few instruction from this point you'll arrive here: :4EB06D31 8B442438 mov eax, dword ptr [esp+38] <- Move esp+38 in eax :4EB06D35 85C0 test eax, eax <- Test eax. In this case eax=0 :4EB06D37 74E7 je 4EB06D20 <- jump if eax=0 In this case something has gone wrong. Let's try to change the je in jne and let's see but take a look always to eax because it can be used later for another check from the program. Press F10 to continue to trace and the initial nag screen will appear telling you that your 30-day trial period is expired: something has changed because there's no more the u32Cfg messagebox! Nopping the call that we've just execute will kill the nag screen. Ok let's continue on this road....we will not find nothing of interessant until we land in the Iedit.exe module. The first instruction that we found here is another test eax, eax (in this case eax=0)...could it be another check to see if the trial period is over? Try to nop the following conditional jump and...BOOM! The main window of the program will appear!! Yeah! We have thought right!! What we've seen in this tut is a typical scheme used in commercial protection such like VBox or Rsagnt32.dll where the main program demand to a dll the routine to check the time limit and then makes itself another check to increase the possibility of jokeing who try to crak it! I hope this tut could be useful for someone. Bye, UmE! Contact me at: ume15@hotmail.com.