----------------------------------------------------------------------------- + + + AAAAA AAAAA AAAAA AAAAA A AAAAA A A A AAAAA AAAAA AAAAA + + A A A A A A A A A A A A A A A A + + AAAAA AAAAA A AAAAA A AAAAA A A A AAAAA A AAAAA + + A A A A A A A A A A A A A A A A + + A A AAAAA A A A AAAAA A A A A AAAAA A A A + + + ----------------------------------------------------------------------------- + Date : 29. April 2000 + + Title : Pictureman Pro v 3.0 (trial - no save) + + Author : Sojourner + + Source : http://www.AstaLaVista.com + ----------------------------------------------------------------------------- Pictureman Pro v 3.0 (trial - no save) Hello fellow students- What we will do-- 1. Enable the Save function 2. Get rid of Demo tag at top of program window Level- beginner Tools-- 1. w32dasm 8.9xxx 2. Ultraedit or hexeditor of your choice History Unknown-this is my first encounter with this guy. Looks to be an image editor with quite a few little goodies packed inside. Pick up a copy at www.stoiks.com Begin Let's find out what's going on in here. Go ahead and load pm30_32.exe and break it apart through w32dasm. Be sure to check out the menu listing in this one. You'll see the Save and Save As menu items. Go ahead and run this through w32dasm. You'll open to a window with a great big Demo sign tacked up to it. Well, that's no so bad I guess. Could be worse. We'll go ahead and fix that anyway. If you search for Demo you'll run across it as listed below. Notice that just above there are two jumps. One at 00401F67 and 00401F6C. What we need to do first is to take 00401F64 83F801 and change it to 31C090 and then take 00401F67 7407 and change it to 9090. Once we jump around those two we won't have any references to trial or demo in our prog. That's what we want anyway, a nice clean program if we can. Skip on down below to follow. * Reference To: Stwa.WA_GetCompability, Ord:0057h | :00401F5C 8B2DEC9F4300 mov ebp, dword ptr [00439FEC] :00401F62 FFD5 call ebp :00401F64 83F801 cmp eax, 00000001 :00401F67 7407 je 00401F70 :00401F69 83F802 cmp eax, 00000002 :00401F6C 7409 je 00401F77 :00401F6E EB13 jmp 00401F83 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401F67(C) | * Possible StringData Ref from Data Obj ->" (Trial Version)" | :00401F70 686C324300 push 0043326C :00401F75 EB05 jmp 00401F7C * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401F6C(C) | * Possible StringData Ref from Data Obj ->" (DEMO Version)" | :00401F77 685C324300 push 0043325C * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401F75(U) | :00401F7C 8D442414 lea eax, dword ptr [esp+14] :00401F80 50 push eax :00401F81 FFD3 call ebx * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401F6E(U) | * Possible Reference to Menu: MenuID_0001 | * Possible Reference to String Resource ID=00001: "Picture Man" | :00401F83 6A01 push 00000001 :00401F85 A140654300 mov eax, dword ptr [00436540] :00401F8A 50 push eax :00401F8B E880290200 call 00424910 :00401F90 6A00 push 00000000 :00401F92 8B0D40654300 mov ecx, dword ptr [00436540] :00401F98 51 push ecx Are you here? Now go ahead and load in one of the sample pictures or one of your own. It doesn't matter. Change it up a bit and try to save it. You get a message telling you that since this is a demo it won't save. Don't you believe it. Put in a search for that string or a portion of it. You won't find it in the executible. But when you see the message: Save operations are not available in DEMO version! You can single step once in w32dasm and be in the impexp32.dll at a messageboxa. Load this dll and then you can go to work inside of it. Eventually, you'll work your way back to 10003E48. See below. This call sets up the error message. We need to change the jump at 10003E45 to a forced jump: 10003E45 EB1990909090 Please skip to the next section and we'll actually repeat ourselves. ////////////////////////////////////////////////////////////////// Referenced by a (U)nconditional or (C)onditional Jump at Address: |:10003E1B(C) | * Reference To: Stwa.WA_GetCompability, Ord:0057h | :10003E28 FF15E0430110 Call dword ptr [100143E0] :10003E2E 8945FC mov dword ptr [ebp-04], eax :10003E31 837DFC03 cmp dword ptr [ebp-04], 00000003 :10003E35 0F8415000000 je 10003E50 :10003E3B 8B45FC mov eax, dword ptr [ebp-04] :10003E3E 50 push eax :10003E3F 8B4508 mov eax, dword ptr [ebp+08] :10003E42 50 push eax :10003E43 E878FEFFFF call 10003CC0 ////HERE :10003E48 83C408 add esp, 00000008 :10003E4B E949000000 jmp 10003E99 ///////////////////////////////////////////////////////////////////// Next section. Here we are fellow reversers. Very close to the end now. At 10004206 is the jump we need to force to miss the call at 10004217. Change the je at 10004206 to: EB1C90909090 * Possible Reference to String Resource ID=00001: "Converters" | :100041D8 C78560FAFFFF01000000 mov dword ptr [ebp+FFFFFA60], 00000001 * Possible Reference to String Resource ID=00001: "Converters" | :100041E2 C78520FCFFFF01000000 mov dword ptr [ebp+FFFFFC20], 00000001 :100041EC C745FC00000000 mov [ebp-04], 00000000 * Reference To: Stwa.WA_GetCompability, Ord:0057h | :100041F3 FF15E0430110 Call dword ptr [100143E0] :100041F9 898584FBFFFF mov dword ptr [ebp+FFFFFB84], eax :100041FF 83BD84FBFFFF03 cmp dword ptr [ebp+FFFFFB84], 00000003 :10004206 0F8418000000 je 10004224 ///HERE/// :1000420C 8B8584FBFFFF mov eax, dword ptr [ebp+FFFFFB84] :10004212 50 push eax :10004213 8B4508 mov eax, dword ptr [ebp+08] :10004216 50 push eax :10004217 E8A4FAFFFF call 10003CC0 ///HERE/// :1000421C 83C408 add esp, 00000008 :1000421F E9A7180000 jmp 10005ACB Finale We're finished fellow students. Go into your favorite hex editor and make the necessary changes and you're good to go. Of course, if you really like it , buy it. 'Til later. Sojourner email:jomamameister@hotmail.comr input and the hex number 00011985, which equals 72069 in