Name : Silver (Photoshop Plugin) Version : generic Editor : Sandwater Target : Silver-100.8bf Tools : W32Dasm Hiew Brain Cracker : LW2000 Tutorial : No.41 http://www.sandwater.com/download.html --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. Ok, start Photoshop and try the silver plugin. Ok, all works fine. Close Photoshop and set the systemdate on the next month. Ok, start Photoshop again and try the silver plugin. *BOOM* Trail has expired! Mhmm, seems that we have found a bug... ;) Let's fix it. Load Silver-100.8bf with W32Dasm. Click on the Dialog Referece. Now you should see this: NO_THANKS1, CONTROL_ID:0063, "A valid code was not entered." REG_TIMEOUT, CONTROL_ID:0064, "- Pay by mail to Kagi, 1442-A Walnut Str" REG_TIMEOUT, CONTROL_ID:0065, "Payment is accepted through Kagi, a fee " REGISTER1, CONTROL_ID:0003, "" 2. Ok, lets close this window and goto "REG_TIMEOUT" in the String Data Reference! * Possible StringData Ref from Data Obj ->"REG_TIMEOUT" | :1000D0A5 6844D10110 push 1001D144 :1000D0AA E88190FFFF call 10006130 :1000D0AF 56 push esi :1000D0B0 E8ABFBFFFF call 1000CC60 :1000D0B5 8B0E mov ecx, dword ptr [esi] :1000D0B7 83C418 add esp, 00000018 :1000D0BA 66C7010100 mov word ptr [ecx], 0001 Mhmm, lets scroll up! * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:1000D054(C) <<-- we go there! | * Possible StringData Ref from Data Obj ->"The price is US$20." | :1000D08C 685CD10110 push 1001D15C * Possible StringData Ref from Data Obj ->"Silver" | :1000D091 6818D10110 push 1001D118 * Possible StringData Ref from Data Obj ->"two weeks" | :1000D096 6850D10110 push 1001D150 * Possible StringData Ref from Data Obj ->"Silver" | :1000D09B 6818D10110 push 1001D118 :1000D0A0 E87B8AFFFF call 10005B20 * Possible StringData Ref from Data Obj ->"REG_TIMEOUT" 3. Ok, lets go to 1000D054, because from their Reg_Timeout is called. :1000D054 7D36 jge 1000D08C <<-- Bad Boy! :1000D056 8B54240C mov edx, dword ptr [esp+0C] :1000D05A 56 push esi :1000D05B 81C2807FF1FF add edx, FFF17F80 :1000D061 899054010000 mov dword ptr [eax+00000154], edx :1000D067 8B4604 mov eax, dword ptr [esi+04] :1000D06A 8B500C mov edx, dword ptr [eax+0C] :1000D06D 8B02 mov eax, dword ptr [edx] :1000D06F 89884C010000 mov dword ptr [eax+0000014C], ecx :1000D075 E80661FFFF call 10003180 4. Ok, we have found the first check, let's beat this. Note the Offset (D054) and open hiew and then change the 7D36 to 9090 (2x NOP). Save your work and try, the plugin. *BOOM* A msg Box appears which tell us, that we have a new version, and so we get a new trail! One week more! If you don't get the msgbox, simply set date to next month (why month and not week? It easier to set back in Win than a week.. yeah, sometimes i'm lazy =). Let's take a look at this present. Open the file with W32Dasm and take a close look into the SDR. 'Version_Alert' sounds very interesting! So lets go there. 5. * Possible StringData Ref from Data Obj ->"VERSION_ALERT" | :1000D07A 6870D10110 push 1001D170 :1000D07F E8AC90FFFF call 10006130 <-- settrail and msg inside :1000D084 83C408 add esp, 00000008 :1000D087 5F pop edi :1000D088 5E pop esi :1000D089 5B pop ebx :1000D08A 59 pop ecx :1000D08B C3 ret Mhmm, what have we now? Simply NOP the Call! and we get every time the proggy is called one new trail week - so it can't ever expire. Let's do so. Open Hiew, load the file and goto the Offset (D07F), and enter 5x NOP. E8AC90FFF -> 9090909090 Save your work an try it! Congratulation! You have beaten the restrictions. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net !!! ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best!