ESTUDIO COLECTIVO DE DESPROTECCIONES | ||
![]() |
WKT Tutorialz Site |
![]() |
![]() |
![]() |
![]() |
Program | Ulead PhotoImpact v4.12 | W95 / W98 / NT |
Description | Image editor | |
Url | http://www.ulead.com | |
Protections | Trial / Nag | |
Level | 1) Beginner, 2) Intermediate, 3) Advanced, 4) Profesional, 5) Expert | |
Tools | SoftICE v3.25, W32Dasm v8.9, UltraEdit v6.10a | |
Target | How to avoid NagScreens and a 30 day time limit | |
Cracker | Mr.WhiTe [WkT!] | |
Date | 07/30/99 |
Introduction |
This is a very good program to manipulate your image files.
With some cool features. Try it! This tutorial was originally written in Spanish
and this translation could be inaccurate. |
Here we go! |
Start the program and you'll notice it's a 30 day trial scheme,
without any disabled options. * Reference To: USER32.DialogBoxParamA, Ord:008Eh | :4EB066CD FF15F4A3B14E CALL DWORD PTR [4EB1A3F4] :4EB066D3 898590FDFFFF MOV DWORD PTR [EBP+FFFFFD90], EAX * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:4EB066A2(C), :4EB066AB(C) | * Possible Reference to Dialog: DialogID_0001 | :4EB066D9 B801000000 MOV EAX, 00000001 :4EB066DE E935010000 JMP 4EB06818 To avoid the Nag Screen just change: :4EB066CD FF15F4A3B14E CALL DWORD PTR [4EB1A3F4] To :4EB066CD 909090909090 NOP instruction is 0x90. It means "do nothing". |
Now, the 30 days time limit. |
So set your system clock at least 30 days ahead. Now start
PhotoImpact. * Reference To: USER32.GetActiveWindow, Ord:00D5h | :4EB0671F FF15C0A3B14E CALL DWORD PTR [4EB1A3C0] :4EB06725 50 PUSH EAX * Possible Reference to Dialog: DialogID_0066 | :4EB06726 6A66 PUSH 00000066 :4EB06728 8B0D0C47B24E MOV ECX, DWORD PTR [4EB2470C] :4EB0672E 51 PUSH ECX * Reference To: USER32.DialogBoxParamA, Ord:008Eh | :4EB0672F FF15F4A3B14E CALL DWORD PTR [4EB1A3F4] :4EB06735 89858CFDFFFF MOV DWORD PTR [EBP+FFFFFD8C], EAX :4EB0673B 83BD8CFDFFFF2A CMP DWORD PTR [EBP+FFFFFD8C], 0000002A :4EB06742 751D JNZ 4EB06761 If you compare this code snippet with the last one, you'll notice that in the first code snippet there were just the following instructions more: :4EB066D9 B801000000 MOV EAX, 00000001 <-- Interesting! :4EB066DE E935010000 JMP 4EB06818 In the first code snippet, EAX is assigned the value 1 and
then there is a JMP to :4EB06818. * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:4EB06716(C), :4EB06742(C) | :4EB06761 33C0 XOR EAX, EAX <-- Bad idea! :4EB06763 E9B0000000 JMP 4EB06818 So, we have to assign the value 1 to EAX and also it should jump to :4EB06818. Open the file u32cfg.dll with your favourite hex editor (UltraEdit for example) and modify the following bytes: :4EB0672F FF15F4A3B14E CALL DWORD PTR [4EB1A3F4] :4EB06735 89858CFDFFFF MOV DWORD PTR [EBP+FFFFFD8C], EAX We search "FF15F4A3B14E89858CFD" and we change it to: "B801000000E9B0000000" So, we'll have this: :4EB0672F B801000000 MOV EAX, 00000001 :4EB06735 E9B0000000 JMP 4EB06818 Voilá! It's done. This essay could contain mistakes (maybe the author skipped
some steps, maybe wrong memory addresses....etc) . The purpose
is that you should learn to "think like a cracker".
|