
-----------------------------------------------------------------------------
+                                                                           +
+  AAAAA  AAAAA  AAAAA  AAAAA  A      AAAAA  A   A  A  AAAAA  AAAAA  AAAAA  +
+  A   A  A        A    A   A  A      A   A  A   A  A  A        A    A   A  +
+  AAAAA  AAAAA    A    AAAAA  A      AAAAA  A   A  A  AAAAA    A    AAAAA  +
+  A   A      A    A    A   A  A      A   A   A A   A      A    A    A   A  +
+  A   A  AAAAA    A    A   A  AAAAA  A   A    A    A  AAAAA    A    A   A  +
+                                                                           +
-----------------------------------------------------------------------------
+  Date   : 26. April 2000                                                  +
+  Title  : MediaStudio Pro 6.0 Trial (Ulead)                               +
+  Author :  Sojourner                                                      +
+  Source : http://www.AstaLaVista.com                                      +
-----------------------------------------------------------------------------

MediaStudio Pro 6.0 Trial (Ulead)

Hello fellow students-

What we will do--use the prog past the 30 day limit

Level- intermediate skill

Tools-- 
  1. A resource tool with editing capibility, like Restorator 2.5
  2. w32dasm 8.9xxx
  3. Ultraedit or hexeditor of your choice

History
A little history. MediaStudio has aged and improved. Some nice tools 
if you're into this kind of stuff. This suite of progs will deal with
a range of different media. The veditor.exe only  deals with "real" DV,
not .avi or mpeg. A capture card is necessary for use with the 
vcapture.exe, et cetera. You'll see. This particular set of progs has a 
30 day time limit set through a .dll.

Begin
Let's find out what's going on in here. Go ahead and choose one of the
executibles to start with. It won't matter which one, since they all 
trigger that same initial .dll. Most of this suite has fairly small
packages to disassemble, so it will go rapidly.
One thing I found fairly quickly was I could not actually run the program 
through the debugger, nor could I tap into it after it was running. I
always received an error message. Nevertheless, the disassembly was
smooth and the program started up with a typical Welcome screen and time
limited type of message. It let you know right off the bat that you have 
29 days left. You won't find a string reference to this in the .dll or
executible. Now which .dll do I keep referring to? It is important to know
which believe me, because once you do, you can "fix" it. THE .dll is
u32prod.dll. You can disassemble it if you want to , but it won't matter.
You will actually use Restorator 2.5 on it to help and change it on the fly!
You actually can do some goofy stuff with Restorator 2.5 if you want to, 
like modify the dialog captions with your own personal name, but that's up 
to you.
Now on to the task at hand. This little snippet of code comes from 
vpaint.exe. I have shown this to you because it is an important function
call that pops up in every single executible in this suite. It is the 
u32Cfg.ulcCheckLegality---seen just below. My two lines at:

:00441A5E 40                      inc eax  -----have already been
:00441A5F 90                      nop      -----modified

:00441A5E 85C0                    test eax, eax---original code


* Reference To: MSVCRT.malloc, Ord:0291h
                                  |
:00441A3D FF1568DA4600            Call dword ptr [0046DA68]
:00441A43 83C404                  add esp, 00000004
:00441A46 3BC3                    cmp eax, ebx
:00441A48 8985CC010000            mov dword ptr [ebp+000001CC], eax
:00441A4E 0F8488020000            je 00441CDC
:00441A54 8B4D6C                  mov ecx, dword ptr [ebp+6C]
:00441A57 50                      push eax
:00441A58 51                      push ecx

* Reference To: u32Cfg.ulcCheckLegality, Ord:0004h
                                  |
:00441A59 E8D2480200              Call 00466330
:00441A5E 40                      inc eax
:00441A5F 90                      nop
:00441A60 752B                    jne 00441A8D   //////Must jump
:00441A62 8B95CC010000            mov edx, dword ptr [ebp+000001CC]
:00441A68 52                      push edx

* Reference To: MSVCRT.free, Ord:025Eh
                                  |
:00441A69 FF1548DA4600            Call dword ptr [0046DA48]
:00441A6F 83C404                  add esp, 00000004
:00441A72 899DCC010000            mov dword ptr [ebp+000001CC], ebx

If these don't get modified in ALL the executibles, then even though
you successfully patch the u32prod.dll, the program will still be dead.
You should always be alert for weird or unusual function calls like 
this one.


Part 2 Restoring some functionality to u32prod.dll
Initially, when you run any program, you always get the same startup 
screen mentioned earlier. There are three buttons at the bottom of that
screen to start with. One is Try More!, the next is Order Now!, and 
last is Link to Web Site. After your program times out you will see a
new button in place of the Try More!. It will be the OK button.
To fix this you need to run Restorator 2.5 and open the u32prod.dll.
A quick look into it's resources and you will see the initial startup 
screen with the aforementioned buttons in place, but not the OK button.
That shows up as a completely different resource listing and not a 
button at all, but merely a string! "The game is afoot, Watson,"
yells Sherlock Holmes.
At dialog 300 you see:

300 DIALOGEX 0, 0, 306, 230, 0
STYLE DS_SETFONT | DS_MODALFRAME | WS_POPUPWINDOW | WS_DLGFRAME
CAPTION "Ulead MediaStudio Pro 6.0"
FONT 8, "MS Sans Serif", 0, TRUE
{
 DEFPUSHBUTTON "&Try More!", 306, 55, 211, 62, 14
 PUSHBUTTON "&Order Now!", 307, 119, 211, 59, 14
 PUSHBUTTON "Link To Web Site", 308, 187, 211, 113, 14
 CONTROL 301, 302, "STATIC", SS_BITMAP | SS_CENTERIMAGE, 6, 6, 294, 56
 LTEXT "", 303, 6, 66, 294, 116
 CONTROL "", 304, "STATIC", SS_BLACKFRAME | SS_SUNKEN, 6, 183, 294, 1, 
       WS_EX_CLIENTEDGE
 LTEXT "", 305, 6, 186, 112, 8
}

This is the resource for our opening screen. Remember, after we time out
the Try More! button will be gone to be replaced by the OK button which 
is String 645:
STRINGTABLE
{
10304, "OK"
10305, "ORDER.HLP"
}

What can we do to help ourselves? See the mods below in the second
pushbutton control. I have placed another &Try More! string here
since the other is overwritten. 

300 DIALOGEX 0, 0, 306, 230, 0
STYLE DS_SETFONT | DS_MODALFRAME | WS_POPUPWINDOW | WS_DLGFRAME
CAPTION "Dave's MediaStudio Pro 6.0"
FONT 8, "MS Sans Serif", 0, TRUE
{
 DEFPUSHBUTTON "&Try More!", 306, 55, 211, 62, 14
 PUSHBUTTON "&Order Now!", 307, 119, 211, 59, 14
 PUSHBUTTON "&Try More!", 306, 55, 211, 62, 14
 CONTROL 301, 302, "STATIC", SS_BITMAP | SS_CENTERIMAGE, 6, 6, 294, 56
 LTEXT "", 303, 6, 66, 294, 116
 CONTROL "", 304, "STATIC", SS_BLACKFRAME | SS_SUNKEN, 6, 183, 294, 1, 
      WS_EX_CLIENTEDGE
 LTEXT "", 305, 6, 186, 112, 8
}


Also in string 645:
STRINGTABLE
{
10304, "OK"
}
 
 You'll see I got rid of the reference to the help file. Otherwise
 it will always and forever popup and stay open. Now it doesn't.
 
 Finale
 When you get ready to leave the Restorator 2.5 it will ask you if you want 
 to save your changes and then will save them as the .dll with a slightly 
 different name. You must place the modifed .dll in the same directory as
 your other Ulead MediaStudio files and then rename the original and then
 rename the modifed .dll so it gets the name that the original was so that
 your executibles can now use the modifed u32prod.dll.
 And that's all there is to that one fellow reversers. 
 Of course, if you really like it , buy it. 'Til later.
 Sojourner   
 email:jomamameister@hotmail.com