Enabling all the filters in EyeCandy 4000 Demo by Raybiez (Feb 27th 2001) Tools needed: Alien Skin Eye Candy 4000 Demo (www.alienskin.com) UltraEdit v8.0 (www.ultraedit.com + keygen at www.keygenstudio.org) W32Dasm v8.93 Tools can be found at: http://www.programmerstools.com http://www.8bn.com/hambo/tools.html http://kickme.to/codersdomain --- Whenever you're gonna crack a program the first thing you should do is study how it works, trying to get as much info as you can, look at the website and see if you can get hints on how it can be purchased. Can you enter a serial number? Do you get a different version if you buy it? By looking at Alien Skin's website we get the following info on the Eye Candy Demo: "In the demo version available for download below, 3 of the 23 filters are fully functional: Glass, Marble and Shadowlab. You will be able to preview, apply and save effects on your work using these three filters. The other 20 filters allow you to preview, but not apply or save, their effects." Ok, that could be useful. Download the Demo and install, I installed it with Photoshop 6 and the program files are placed here: C:\Program Files\Adobe\Photoshop 6.0\Plug-Ins\Eye Candy 4000 The program file is called EyeCandy4000.8bf. So lets start by making a backup copy of that called EyeCandy4000.w32. Launch W32Dasm and click on Disassembler|Open File to Disassemble, select All Files then browse to and open EyeCandy4000.w32. It will now disassemble your file, just wait a moment and it's done. This will give you a so called Dead Listing of the program code. If everything just looks like crap then change the Font that is used by clicking Disassembler|Font...|Select Font. Then choose Save Default Font. Start Photoshop or which ever program you're using then open an image and try to use one of the 20 filters that cannot be applied or saved. You get a message saying 'Unable to run filter'. You are using a demo.. etc. Now switch back to W32Dasm, you should look for a String Reference that looks like the message you just got. There's a button that says Strn Ref that automatically brings up a list of all the found string references, so you can click on that and then try to find the nag message you got then just double-click on it. That will take you to the correct location in the code, and if you double-click on it again you will notice if the same string reference appear more than once in the code. You can also use the normal search method, click Search|Find Text and search for 'You are using a demo' (without quotes). Make sure it is only found at one location. Time to start studying some code. :10035390 8B460C mov eax, dword ptr [esi+0C] :10035393 BB01000000 mov ebx, 00000001 :10035398 50 push eax :10035399 E8D5350600 call 10098973 :1003539E 83C404 add esp, 00000004 :100353A1 8BF8 mov edi, eax :100353A3 8BCF mov ecx, edi :100353A5 68888F0D10 push 100D8F88 :100353AA E8902B0600 call 10097F3F :100353AF 85C0 test eax, eax :100353B1 7534 jne 100353E7 ; Interesting :100353B3 68708F0D10 push 100D8F70 :100353B8 8BCF mov ecx, edi :100353BA E8802B0600 call 10097F3F :100353BF 85C0 test eax, eax :100353C1 7524 jne 100353E7 ; Interesting :100353C3 68508F0D10 push 100D8F50 :100353C8 8BCF mov ecx, edi :100353CA E8702B0600 call 10097F3F :100353CF 85C0 test eax, eax :100353D1 7514 jne 100353E7 ; Interesting * Possible Reference to String Resource ID=02707: "Unable to run filter" | :100353D3 68930A0000 push 00000A93 * Possible Reference to String Resource ID=02708: "You are using a demo version of Eye Candy 4000. In this demo" | :100353D8 68940A0000 push 00000A94 :100353DD E83E170400 call 10076B20 :100353E2 83C408 add esp, 00000008 :100353E5 EB0C jmp 100353F3 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:100353B1(C), :100353C1(C), :100353D1(C) | :100353E7 56 push esi :100353E8 55 push ebp :100353E9 E8622A0000 call 10037E50 :100353EE 83C408 add esp, 00000008 :100353F1 8BD8 mov ebx, eax This can seem to be a little hard to understand if you're not familiar with Assembly code, but it's really not that difficult. The value to the left (100353F1) is the Virtual Address for the program, the address where the program (most likely) will reside in memory when executed. The next value (8BD8) is the Hex value for the specific instruction to the right (mov ebx, eax). Each of those Hex values represents different processor instructions. Each program has an Entry Point, and from there these lines of code are executed one by one depending on how the user clicks and what values are entered etc. You don't really have to understand a lot of instructions to crack the easier programs. But these are good to know: je 100353E7 ; Jump IF EQUAL to address 100353E7 jne 100353E7 ; Jump IF NOT EQUAL to address 100353E7 jmp 100353F3 ; Jump to 100353F3 There are several variants of jumps but they are all pretty much the same. JZ (Jump IF ZERO), JNZ (Jump IF NOT ZERO) etc. I will explain this in more detail in future tutorials. Ok, enough of this crap, lets get cracking! By looking at the code that is executed BEFORE the annoying nag message you can see something interesting. There are THREE conditional jumps in that code (jne 100353E7). If it takes ANY of these jumps the nag message will not be shown. So why three? Well remember what info we got at Alien Skin's website? That's right three of these nice filters is fully working, probably meaning that it checks if you're using one of these three specific ones. And if you are the program works perfect! But what if we change one of the JNE to a JMP? It's best to choose the first cause it will make the program faster by executing less code! So highlight the line at address 100353B1 and look at the bottom it will say: @Offset 000353B1h. Close EyeCandy and open EyeCandy4000.8bf in UltraEdit. (you don't have to close Photoshop). Locate the address 000353B1, you can simply click Search|Goto Line/Page and enter 0x000353B1. You now see 75 34 which means jne 100353E7 as you can verify in W32Dasm. Change that to EB 34 (jmp 100353E7) always jump. Save the changes. (you don't have to close UltraEdit either). Now try to apply any of the filters that didn't work before, now they all work like a sharm! ahh CRACKED!! Just cracked your first program? That's a nice feeling. ;) Now you can clean up the crack a little. I guess you've notice that it says ' Eye Candy 4000 Demo' in the list of plugins in Photoshop. Make sure EyeCandy isn't running then switch back to UltraEdit and click Search|Find and enter ' Eye Candy 4000 Demo' (without quotes). Notice the initial Space. Make sure you choose Find ASCII. Ok, this is found 23 times, since the program has 23 filters you can figure what it means. Replace all 23 with 'Eye Candy 4000 '. You can also replace '' and '' with something nicer, it's located at 000F29C6 and 000F29EA. Remove the word 'demo' at address 000F2D6E with Spaces. Just make sure don't mess with zero's between the letters, or it won't work. Well now the crack is fully complete, if you wanna build and distro your own patch then use a patch generator such as Cogen II. There are several patch generators like this that will compare the original file to the cracked one and then generate either a ready to use source code or even compile it into an .exe file for you! Just look around on the tool sites.. Hope you had phun reading this, at least it was fun writing, be back with more tutorials if you want. Written by Raybiez (raybiez@gmx.net) Dedicated to +ORC, tKC, ED!SON, Fravia, +Sandman and all others for writing tutorials and YOU for reading it!