CRACK TUTORIAL #1 AUTHOR : Exhume -------------------------------------------------------------------------------------------- TARGET : Paint Shop Pro 6.00 TOOLS : SoftIce, Hiew -------------------------------------------------------------------------------------------- This is my first tutorial, if you have comments or need more info mail me - when I tried to load psp with W32Dasm 8.93 it crashed! (Dont need it but it would have been easier to show more asm code in this tut) - Take a backup of psp.exe! I used api function GetSystemTime to break, you can also use GetLocalTime. -------------------------------------------------------------------------------------------- note: you might wanna close some applications who check date every second! eg. ICQ -------------------------------------------------------------------------------------------- If you look into API reference the function looks like this... VOID GetSystemTime( LPSYSTEMTIME lpSystemTime // address of system time structure ); and LPSYSTEMTIME looks like this... typedef struct _SYSTEMTIME { // st WORD wYear; WORD wMonth; WORD wDayOfWeek; WORD wDay; WORD wHour; WORD wMinute; WORD wSecond; WORD wMilliseconds; } SYSTEMTIME; u dont really need those to understand the tutorial but its handy when you know about them :) -------------------------------------------------------------------------------------------- CRACK -------------------------------------------------------------------------------------------- Ok now press ctrl+d, SI pops up!...duhh type: BPX GetSystemTime ...press F5... start psp.exe........SI pops up......press F12 till u are in psp code you should to see something like this :00750123 mov ecx,[esp+28] ; < EIP should be here! little explanation... :0075011C push eax ; adress of the return value for the function :0075011D call [009650dc] ; Call to our time functions ; this calculates the current date (in days since 1899) :00750123 mov ecx,[esp+28] ; return value of our function goes into ecx :00750127 mov edx,[esp+64] ; date (in days) when you installed psp goes into edx :0075012B push ecx ; push ecx on stack :0075012C push edx ; push edx on stack :0075012D call [0096509C] ; This function subtracts the 2 values (trace into it!..F8) :00750133 add esp,0C :00750136 call 0081495A ; (nothing important) :0075013B mov ecx,eax ; * eax into ecx :0075013D mov eax,C22E4507 ; * C22E4507 into eax :00750142 imul ecx ; * multiply eax with ecx stored in EAX:EDX * :00750144 add edx,ecx ; * edx=edx+ecx :00750146 sar edx,10 ; * shift 16 bits right (*=all instructions needed to calc how long we been using psp) :00750149 mov eax,edx ; edx into eax :0075014B shr eax,lF ; shift 31 bits (normally eax will be zero) :0075014E add edx,eax ; add eax to edx :0075015D lea esi,[edx+1] ; load value from edx into esi + 1 :00750153 cmp esi,1 ; compare if esi is >= 1, WHY??...coz some smart ppl try turn back their clock :) :00750156 jge 0075015D ; when someone turned back the clock it wont jump and.. :00750158 mov esi,0000005B ; ...this will put maximum trial time into esi=5B :0075015D mov [esp+44],ebx :00750161 mov [esp+40],0085B2B0 We can trace further.....BUT!... First I tried changing the Sign Flag by typing: R FL S --->Set it to the opposite as it is now | | ------>reg is a flag |--------->Change value of a register .... but now psp crashes when we press F5...DAMN!... Then I tried changing the value of esi to 1 before cmp esi,1 (I cracked it when psp was expired) do this by typing: R ESI=1 ... IT WORKS! Now we know when you change esi to a value lower than 5B it will never show the expired box. -------------------------------------------------------------------------------------------- PATCH -------------------------------------------------------------------------------------------- Now lets find a way to patch it.... Start to look where I typed * You can see we have to make sure that the value of edx stays 0 (or at least less than 5B), so lets see....hmmmm... sar edx,10 looks interesting, what if we change it into shr edx,1F Now edx will always be 0 (it can be 1 I know but this will never happen, even if it is 1 it will still work) so now change sar edx,10 into shr edx,1F with Hiew...everybody knows how to do this right? NO?! ok...start HIEW and chose psp.exe press ENTER 2 times to go to asm mode, goto the right offset with F5 then press F3 for change and then press F2 for ASM CHANGE. ok done?...type F9 to update your changes and F10 to quit. DONE! Written for educational use only, if you like psp BUY IT! Exhume