Name : ACDSee
Version : 2.41
Editor : ACD Systems
Target : acdsee32.exe
Tools : Softice
W32Dasm
Hiew
Brain
Cracker : LW2000
Tutorial : No.13
http://www.acdsystems.com
---
DISCLAIMER
For educational purposes only!
I hold no responsibility of the mis-used of this material!
---
Please excuse my poor english, its not my mother language....
1. Start Acdsee and go to Help | About | Register Now
Username: LW2000@GMX.NET
Serial: 1230099
Klick on OK. *BOOM* "Your name and registration code do not match"
Typical program bug ;) Press ok to close the message box.
Let's fix it...
Press [ctrl]+[d] to switch to Softice.
Now set a breakpoint on getdlgitemtexta with
'bpx getdlgitemtexta'. Press F5 to continue.
Press ok, again. Softice pops up.
Now press F11 to get the caller.
:00459049 FFD5 call ebp
:0045904B 8B15C0035000 mov edx, dword ptr [005003C0] <-- here
:00459051 8D442414 lea eax, dword ptr [esp+14]
:00459055 8D4C2410 lea ecx, dword ptr [esp+10]
:00459059 50 push eax
2. Trace with F10 to the code, till you are here:
:004590A0 8D54241C lea edx, dword ptr [esp+1C]
:004590A4 85D2 test edx, edx <-- here
:004590A6 741E je 004590C6
EDX and EAX are compared.
'd edx' will show our name. Seems, that the proggy checks,
if you have entered a name.
Press F10 till you are here:
:004590C6 8D8424F4000000 lea eax, dword ptr [esp+000000F4]
:004590CD 85C0 test eax, eax <-- here
:004590CF 7424 je 004590F5
Looks familar: 'd eax' will show our fake serial.
:00459105 6A00 push 00000000
:00459107 3BF8 cmp edi, eax <-- here
:00459109 0F85E7000000 jne 004591F6
3. Use F10 till you are here:
:00459121 E8FAEFFFFF call 00458120
:00459126 83F801 cmp eax, 00000001 <-- here
:00459129 7443 je 0045916E
Looks interesting. Enter 'bc *' to clear all bpx. Then
doubleclick on :00459126 83F801 cmp eax, 00000001
to set a new bpx on this line.
Now enter 'r eax=1' to change eax to 1.
Press F5. Wow, seems to be any very easy crack. But wait, take
a look at titelbar from ACDSEE! Still unregistered...
4. Mhmm, close Acdsee and start it again. But it is still
unregistered, so let's take a look at the code again!
:00459121 E8FAEFFFFF call 00458120 <-- mhmm, what's this...
:00459126 83F801 cmp eax, 00000001 <-- our manipulation
:00459129 7443 je 0045916E
Before our manipulated compare is a call to a function.
Go on this line:
:00459121 E8FAEFFFFF call 00458120
and press F8 to step into this call.
:00458120 83EC24 sub esp, 00000024 <-- here we are
:00458123 53 push ebx
:00458124 55 push ebp
:00458125 56 push esi
:00458126 8B742434 mov esi, dword ptr [esp+34]
Now, the same procedure as everytime ;)
5. Trace with F10, till you are here:
:00458177 83C410 add esp, 00000010
:0045817A 85C0 test eax, eax <-- here
:0045817C 740F je 0045818D
Let's try again. 'bd *' to disable all other bpx. Doubleclick on
:00458177 83C410 add esp, 00000010
to set a new bpx. Now, enter 'R EAX=1'.
Press F5 to continue.
Mhhm, registered! =) Close Acdsee and start it again.
Sice pops up, at the same part, where you stopped.
'R EAX=1', again. Press F5 to contine. *Boom* Sice pops up again,
so again 'r eax=1'! If you have started the browser, you need
to do the same shit, twice again. Ok, take a look at the
titelbar! *g* Only the Name! You are registered!
So let's fix it permanent.
Take a look at the code:
:00458177 83C410 add esp, 00000010
:0045817A 85C0 test eax, eax <-- here
:0045817C 740F je 0045818D <-- mhmm, *g*
Enter 'bd *' and press F5. Close Acdsee and start W32Dasm.
Disassemble acdsee32.exe. Now press Shift-F12 and enter 0045817C
6. Place the green bar on this line:
:0045817C 740F je 0045818D
and take a look at the statusbar.
...@Offset 0005817Ch in File: ACDSee32.exe
Our Offset is '0005817C'. Close W32Dasm and start hiew with
acdsee32.exe.
Press Enter twice to go to decode mode.
Press F5 and enter 0005817C.
Ok, now you are at the right location.
Press F3 to edit the file.
Change 740F to 750f. This changes je to jne.
Now Acdsee accepts only fake serials... ;))
Press F9 to update and F10 to quit.
Start Acdsee and enter your details.
Congratulation! You are an registered user!
FINISH! Easy, or?
cu LW2000
Any comments? Mail me LW2000@gmx.net !!!
----
tKC, thx for your tutors!
I started with tutor 1 and i still read them... they are the best!