Name      : ACDSee

Version   : 2.41

Editor    : ACD Systems

Target    : acdsee32.exe

Tools     : Softice
	    W32Dasm
	    Hiew
	    Brain
	    	    
Cracker   : LW2000

Tutorial  : No.13

http://www.acdsystems.com


---
DISCLAIMER
For educational purposes only!
I hold no responsibility of the mis-used of this material!
---



Please excuse my poor english, its not my mother language....


1.	Start Acdsee and go to Help | About | Register Now
	Username: LW2000@GMX.NET
	Serial: 1230099
        Klick on OK. *BOOM* "Your name and registration code do not match"
	Typical program bug ;) Press ok to close the message box.

	Let's fix it...
	
	Press [ctrl]+[d] to switch to Softice.
        Now set a breakpoint on getdlgitemtexta with
	'bpx getdlgitemtexta'. Press F5 to continue.
	Press ok, again. Softice pops up.
	Now press F11 to get the caller.


        :00459049 FFD5           call ebp 
        :0045904B 8B15C0035000   mov edx, dword ptr [005003C0]  <-- here 
        :00459051 8D442414       lea eax, dword ptr [esp+14]
        :00459055 8D4C2410       lea ecx, dword ptr [esp+10]
        :00459059 50             push eax

2.	Trace with F10 to the code, till you are here:

	:004590A0 8D54241C          lea edx, dword ptr [esp+1C]
        :004590A4 85D2              test edx, edx	<-- here			
        :004590A6 741E              je 004590C6


	EDX and EAX are compared.
	'd edx' will show our name. Seems, that the proggy checks,
        if you have entered a name.

	Press F10 till you are here:

	:004590C6 8D8424F4000000   lea eax, dword ptr [esp+000000F4]
	:004590CD 85C0             test eax, eax	<-- here
	:004590CF 7424             je 004590F5


	Looks familar: 'd eax' will show our fake serial.

	:00459105 6A00             push 00000000
	:00459107 3BF8             cmp edi, eax	<-- here
	:00459109 0F85E7000000     jne 004591F6

3.	Use F10 till you are here:


	:00459121 E8FAEFFFFF       call 00458120
	:00459126 83F801           cmp eax, 00000001  <-- here			
	:00459129 7443             je 0045916E


	Looks interesting. Enter 'bc *' to clear all bpx. Then
        doubleclick on  :00459126 83F801    cmp eax, 00000001
	to set a new bpx on this line.
	Now enter 'r eax=1' to change eax to 1.

	Press F5. Wow, seems to be any very easy crack. But wait, take
        a look at titelbar  from ACDSEE! Still unregistered...

4.	Mhmm, close Acdsee and start it again. But it is still
        unregistered, so let's take a look at the code again!


        :00459121 E8FAEFFFFF  call 00458120     <-- mhmm, what's this...              
        :00459126 83F801      cmp eax, 00000001 <-- our manipulation
        :00459129 7443        je 0045916E

	Before our manipulated compare is a call to a function.
	
	Go on this line:

	:00459121 E8FAEFFFFF    call 00458120	
	
	and press F8 to step into this call.

	:00458120 83EC24        sub esp, 00000024  <-- here we are
	:00458123 53            push ebx
	:00458124 55            push ebp
	:00458125 56            push esi
	:00458126 8B742434      mov esi, dword ptr [esp+34]

	Now, the same procedure as everytime ;)

5.	Trace with F10, till you are here:

	:00458177 83C410        add esp, 00000010
	:0045817A 85C0          test eax, eax	  <-- here
	:0045817C 740F          je 0045818D

	Let's try again. 'bd *' to disable all other bpx. Doubleclick on
	:00458177 83C410        add esp, 00000010
	to set a new bpx. Now, enter 'R EAX=1'.

	Press F5 to continue.

	Mhhm, registered!  =) Close Acdsee and start it again.

	Sice pops up, at the same part, where you stopped.
	'R EAX=1', again. Press F5 to contine. *Boom* Sice pops up again,
        so again 'r eax=1'! If you have started the browser, you need
        to do the same shit, twice again. Ok, take a look at the
        titelbar! *g* Only the Name! You are registered!
	So let's fix it permanent.

	Take a look at the code:

	:00458177 83C410                  add esp, 00000010
	:0045817A 85C0                    test eax, eax  <-- here	
	:0045817C 740F                    je 0045818D    <-- mhmm, *g*

	Enter 'bd *' and press F5. Close Acdsee and start W32Dasm.
        Disassemble acdsee32.exe. Now press Shift-F12 and enter 0045817C

6.	Place the green bar on this line:
	:0045817C 740F                    je 0045818D
	and take a look at the statusbar.
		
	...@Offset 0005817Ch in File: ACDSee32.exe

        Our Offset is '0005817C'. Close W32Dasm and start hiew with 
        acdsee32.exe.

	Press Enter twice to go to decode mode.
	Press F5 and enter 0005817C.
	Ok, now you are at the right location.
	Press F3 to edit the file.	
	Change 740F to 750f. This changes je to jne.
	Now Acdsee accepts only fake serials... ;))
	Press F9 to update and F10 to quit.

	Start Acdsee and enter your details.
	

Congratulation! You are an registered user!

FINISH! Easy, or?

cu LW2000
Any comments? Mail me LW2000@gmx.net !!!
----
tKC, thx for your tutors!
I started with tutor 1 and i still read them... they are the best!