_ _ _ _ _ _ _ / \_____/ \______ / \____ / \___________/ \ / \_______/ \____ \ \ \ \ \_ \ \ \ \ \ \ _____/ . \ . \/ /\ \ / . \ . \________\ . \ /_ _____ | / /_ / /_ /_ / \ \ /_ / \_ /_ / / \ _/ \_ | | / / \_/ \ \_/ \ \__/ \ / \_/ \ \_/ \ / / / \ | |__\ \ / \ / / \ / . \___/ \_ / /__| \ / / / \ / / \ / \ \____/ / \____ /\____/ /___\__ \\____ /\____/\ / \______/ \_____ / \_/ \____/ \_/ \_/ \__/ \_/ - t h e h o m e o f p o l i s h c r a c k e r s - proudly presents: `~*¤§[ a tutorial:.................the.trial.thing.-.ulead.photo.explorer.v4.2 ]§¤*~` `~*¤§[ written by:............................................emotion.thirteen ]§¤*~` `~*¤§[ date:...................................................22nd.April.1999 ]§¤*~` [ ulead photo explorer is a great example of trial software and an exact ] [ example of how it shouldn't be done... anyways, it's not our problem 'coz if ] [ they want to share with us for free or almost for free we can always accept ] [ it, rite ? =) okay, let's use our mind now... first of all install software ] [ and see how it works... nothing unusual here, nag screen which informs us ] [ about trial time and nothing more... well, let's see what's inside... execute ] [ your w32dasm - I use 8.93 version - load pe42.exe and disassemble it... now, ] [ let's check out what's in 'string data references'... hmmm, nothing ] [ interesting here, what's now ??? well, save listing as project and minimize ] [ w32dasm... now double click on win clock to set date/time properties... ] [ let's move it a month or two ahead... heh, that's like travelling in time, ] [ isn't it ?! no, it's not... =P~~ now once again execute photo explorer and ] [ it'll nicely inform you that your trial period is over... let's travel back ] [ to our time and execute it again... this time it should say 'sorry! due to ] [ internal checking file damaged or system time had been changed...' yay, that's ] [ what we've been looking for ! now when it's expired there's no way out: crack ] [ it or walk away... get back to w32dasm and check out 'imports', scroll down ] [ till you find 'peabout.' library and functions we need to check ] [ 'CheckTimeLimit' and 'IsFullVersion'... double click on ] [ peabout.IsFullVersion and it'll take you to such location: ] * Reference To: peabout.IsFullVersion, Ord:0002h | :0041B5DE FF15840C4600 Call dword ptr [00460C84] - it checks if it's full or trial ver. here... :0041B5E4 83C404 add esp, 00000004 - the result is returned in eax... :0041B5E7 85C0 test eax, eax - full or trial ? :0041B5E9 751B jne 0041B606 - jumps if full, skips if trial... * Reference To: peabout.CheckTimeLimit, Ord:0000h | :0041B5EB FF15800C4600 Call dword ptr [00460C80] - now it checks trial time... :0041B5F1 85C0 test eax, eax - end of trial ? :0041B5F3 7511 jne 0041B606 - no, there're some days left, run proggy... :0041B5F5 C745FCFFFFFFFF mov [ebp-04], FFFFFFFF - apparently, there's no days left, show :0041B5FC E8CB020000 call 0041B8CC - proper message and exit :0041B601 E928FEFFFF jmp 0041B42E * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0041B5D6(C), :0041B5E9(C), :0041B5F3(C) | :0041B606 8B4DF0 mov ecx, dword ptr [ebp-10] - here is the point where program starts :0041B609 E8E2130000 call 0041C9F0 - after check... [ looks pretty simple, eh ? at the first time you probably think: gotta do ] [ something with that check at :0041B5E7... well... it's a solution but... I ] [ tell you that's not the best solution... anyways, after such change your code ] [ should look like this: ] * Reference To: peabout.IsFullVersion, Ord:0002h | :0041B5DE FF15840C4600 Call dword ptr [00460C84] - it checks if it's full or trial ver. here... :0041B5E4 83C404 add esp, 00000004 - the result is returned in eax... :0041B5E7 33C0 xor eax, eax - make eax = 0 always :0041B5E9 741B je 0041B606 - if eax=0 then jump... [ photo explorer will run without a nag screen and it looks like full ] [ ver now but... what about ABOUT menu ? you'll see that it still says it's ] [ trial or something like that... so your crack is not 101 yet... let's see... ] [ it says: '* Reference To: peabout.IsFullVersion, Ord:0002h'... if you look ] [ inside photo explorer dir you'll find here our victim 'peabout.dll'... ] [ disassemble it and look into 'exports'... yay ! 'CheckTimeLimit' and ] [ 'IsFullVersion' are there ! double click on it and you should see that below ] [ code... let's take a look... ] Exported fn(): IsFullVersion - Ord:0003h :100010C0 83EC04 sub esp, 00000004 :100010C3 833D40B0001000 cmp dword ptr [1000B040], 00000000 :100010CA 750F jne 100010DB - in our case it jumps always here... * Reference To: peabout.InitAboutDll | :100010CC E86FFFFFFF call 10001040 :100010D1 85C0 test eax, eax :100010D3 7506 jne 100010DB :100010D5 33C0 xor eax, eax :100010D7 83C404 add esp, 00000004 :100010DA C3 ret * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:100010CA(C), :100010D3(C) | * Reference To: peabout.IsPI3FullVersion | :100010DB E8E0030000 call 100014C0 :100010E0 A334C80010 mov dword ptr [1000C834], eax * Reference To: peabout.IsWEGOFullVersion | :100010E5 E8B6010000 call 100012A0 :100010EA 8B4C2408 mov ecx, dword ptr [esp+08] :100010EE 6A00 push 00000000 :100010F0 A330C80010 mov dword ptr [1000C830], eax :100010F5 8D442404 lea eax, dword ptr [esp+04] :100010F9 50 push eax :100010FA 6A01 push 00000001 * Possible StringData Ref from Data Obj ->"SpecialBuild" | :100010FC 6844B00010 push 1000B044 :10001101 51 push ecx :10001102 E8C90C0000 call 10001DD0 :10001107 83C414 add esp, 00000014 :1000110A 85C0 test eax, eax - trial / full check... :1000110C 741D je 1000112B - jump if trial... :1000110E 817C240014050000 cmp dword ptr [esp], 00000514 - as above... :10001116 7513 jne 1000112B :10001118 B801000000 mov eax, 00000001 - make eax=1 - full ver... :1000111D 83C404 add esp, 00000004 :10001120 C70540C8001001000000 mov dword ptr [1000C840], 00000001 :1000112A C3 ret * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:1000110C(C), :10001116(C) | :1000112B 33C0 xor eax, eax - here's our problem, it makes eax=0... :1000112D 83C404 add esp, 00000004 :10001130 C3 ret [ wow, wow, wait a minute ? you'll say... how did I find out it always ] [ jumps at :100010CA ??? well, just load your pe42 project file, from DEBUG menu ] [ choose LOAD PROCESS, when it loads click on 'Active DLLs' window and scroll ] [ down till you find peabout.dll... now double click it and choose 'yes'... go ] [ to 'IsFullVersion' start and place there break point pushing F2... now push F9 ] [ [run process] and wait a moment... it'll stop on our break point... now push ] [ F7 a few times... see now ?! so our problem equals those two 'trial / full ] [ check' functions'... simple, make such changes: ] * Possible StringData Ref from Data Obj ->"SpecialBuild" | [...] :1000110A 85C0 test eax, eax :1000110C 7400 je 1000110E :1000110E 817C240014050000 cmp dword ptr [esp], 00000514 :10001116 7500 jne 10001118 [...] [ trial check has been removed and now it'll always return as full ver, ] [ no need to mess with 'CheckTimeLimit' 'coz it's not used now... let's see that ] [ ABOUT menu now... in the 'exports' we've got 'ShowAboutBox' function... ] [ double click it and you should see: ] Exported fn(): ShowAboutBox - Ord:0006h :100016C0 833D40C8001000 cmp dword ptr [1000C840], 00000000 :100016C7 7410 je 100016D9 :100016C9 8B442404 mov eax, dword ptr [esp+04] :100016CD 6A01 push 00000001 :100016CF 50 push eax :100016D0 E8EB140000 call 10002BC0 :100016D5 83C408 add esp, 00000008 :100016D8 C3 ret [ doing the previous trick we'll find out that jump at :100016C7 is 'trial' ] [ jump... so once again make such a change: ] :100016C7 7400 je 100016C9 [ done... to sum up... we've changed just three bytes to get full version ] [ of ulead photo explorer v4.2... not bad but sometimes it's just a matter of ] [ one byte... so... till the next crack... ah, by the way, if you enjoyed this ] [ tutorial or you think it just plainly sucks just let us know... we gotta know ] [ what to do or what not to do next... ] signed: emotion thirteen [ p/s: [ ready crack is avilable at http://crackpl.cjb.net - unfortunately I ] [ didn't have a chance to applay it on not expired version of photo explorer, so ] [ I don't know if it works properly with such a ver... check it yo' self then... ] ______ ______ ______ ______ / \ / \ / \ / \ _________________________________________________/ . // / // / // / / | \__/ /_\__ /_\__ /_\__ /| | [CP]: http://realmsofcrack.cjb.net / // / // / // / / | |________________________________________________/ // / // / // / /__| \___/ \_______\\_______\\_______\