A simple tut about how to crack a simple target ;P "The death of ACDSee 32" Chapter Introduction ------------ ACDSee32 2.43 is a pic viewer with all of itīs meaning but this little baby cost some (34,95$!!!! to use, why I donīt really know and I hardly care. It just became a target for that reason. If you look in the help file, this is what the author says about "Why you should register": "For many people, the most pressing reason to register is to get rid of the annoying nag box which pops up at the most inconvenient times." This is gotta be some kind of joke..sure I can register but not for my money ;) Tools needed ------------ SoftIce (I used 4.05) Hiew (or any other hexeditor) Brains (optional) ACDSee32 2.43 (any target should work fine) Tools can be found at http://protools.cjb.net ACDSee can be found at http://www.acdsystems.com The same procedure shown here should work on previous version as on other targets since this is a kindof template for easy cracked targets, so have it ready when facing your next dickface target. Letīs start ----------- Open the about box under help menu and choose "Register Now" button. Insert your name and serial (as usual). Hit the "OK" button and a MessageBox ;) will appear. Ignore what it says and press CTRL+D to enter SoftIce (SI from now on). In SI we need to set a good breakpoint (I would prefer MessageBoxA). After the bpx is set, hit the "OK" button again and SI will now break, press the F12 button right away and press the "OK" button in the messagebox. You will enter SI again, press F10 til you get to the address 451D36. The way you newbies should think about is: "Why did we end up here?". But the normal thinking guy like me knows that a jump above could the reason. So what you will do is: Look at address 451CA9, thereīs the reason the nag appeared but this is just some error check for the reg sequence (I think, nore do I care). So we need to find the jump that could take us to this section, so again look above at address 451CA9. This is the cause why the regcode wasnt accepted, but a good trick is that usually when you find the jump, look in the CALL just above it, or set a bpx at that address the CALL goes to (In this case the command would be "bpx 450CA0". Before leaving SI, type bd 0 (to disable your breakpoint), then press F5 to leave SI. Hit the "OK" button again but this SI breaks at your later bpx. We need to know why the jump didnīt work to press F10 til you get to the address 450D6A. There you will see XOR EAX, EAX (This is why the compare outside this call failed). What we need to do is to think for a sec. We need something that sets EAX = 1 not 0. If you look at the lines from 450CA0 and 450D6A you will see at address 450D01 there is a MOV EAX,00000001. This looks really good in my eyes so press F5 and hit the "OK" button again and trace down to address 450CFC, the program want to jump here but we dont so a NOP would fit here..(If you look above at address 450CBC, youīll see another conditional jump but I changed this one into a jump, just to make sure ;) Notice the two address and leave SI. Open up Hiew and load a copy of ACDSee. Press Enter two times to fix the view, then press F5 and enter the first offset (450CFC-400000 = 50CFC) You will end up at the first conditional jump thats gonna be NOP:ed so press F3 and enter 9090->F9 (To update). If you to fix the other jump, just go a few lines up to 450CBC and press F3->EB (To make it jump)->F9 and youīre done! Last words ---------- I hope that you understood the basis of this tutorial since it could be usefull when encountering new target with the same procedure, and by setting a bpx at the call above to tell you alot of the target. Thats all for me this time...... Big thanks to the Lockless Crew, CORE, dF, eMINENCE. eVC, Titanium, TNT, C.i.A., tCA Boba Fett Lockless Cracking 2002 May the 26th 03:13:05 CET Contact me at bobafett@lockless.com or at #lockless on EfNetont color="#008080">;you can see serial for gregory