--

ESTUDIO COLECTIVO DE DESPROTECCIONES
WKT Tutorialz Site
WKT
Program Ulead PhotoImpact v4.12 W95 / W98 / NT
Description Image editor
Url http://www.ulead.com
Protections Trial / Nag
Level 1) Beginner, 2) Intermediate, 3) Advanced, 4) Profesional, 5) Expert
Tools SoftIce v3.25, W32dasm v8.9, UltraEdit v6.10a
Target How to Avoid NagScreen and 30 day time limit
Cracker Mr.WhiTe [WkT!]
Date 07/30/99

Introduction
This is a very good program to manipulate your Image files. With some cool features. Try it!
Well, with this tutorial you will learn how to avoid a Nag Screen in an easy way, and how to remove time limit. The Protection is inside U32cfg.dll
This tutorial was originally written in Spanish and this translation could be some shit.
So, sorry for my English ;o)

Here we go!
Start the program and you'll notice it's a 30 day Trial scheme, without any disabled options.
It also have an ugly nag screen "dialogboxparama".

First of all, we are gonna kill that ugly nag screen. So, we set the first Breakpoint in our beloved SoftIce. Write "BPX dialogboxparama", press F11 and then press "Try More!" button.
We'll land here: 

* Reference To: USER32.DialogBoxParamA, Ord:008Eh
                                  |
:4EB066CD FF15F4A3B14E            Call dword ptr [4EB1A3F4]
:4EB066D3 898590FDFFFF            mov dword ptr [ebp+FFFFFD90], eax

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:4EB066A2(C), :4EB066AB(C)
|

* Possible Reference to Dialog: DialogID_0001 
                                  |
:4EB066D9 B801000000              mov eax, 00000001
:4EB066DE E935010000              jmp 4EB06818

To avoid the Nag Screen just change: 
:4EB066CD FF15F4A3B14E            Call dword ptr [4EB1A3F4]

To :4EB066CD 909090909090   

NOP instruction is coded 90. It means "do nothing" ;o)
Now, the 30 days time Limit. :o)
So set your system clock at least 30 days ahead. Now start Photo Impact.
It will display another ugly dialog box.
Oh!, what a surprise!!! It's another "dialogboxparama" !!!

Welcome back to SoftIce and we set the second Breakpoint (or just enable the first one again) "BPX dialogboxparama". Now look where we are ;o) 
* Reference To: USER32.GetActiveWindow, Ord:00D5h
                                  |
:4EB0671F FF15C0A3B14E            Call dword ptr [4EB1A3C0]
:4EB06725 50                      push eax

* Possible Reference to Dialog: DialogID_0066 
                                  |
:4EB06726 6A66                    push 00000066
:4EB06728 8B0D0C47B24E            mov ecx, dword ptr [4EB2470C]
:4EB0672E 51                      push ecx

* Reference To: USER32.DialogBoxParamA, Ord:008Eh
                                  |
:4EB0672F FF15F4A3B14E            Call dword ptr [4EB1A3F4]
:4EB06735 89858CFDFFFF            mov dword ptr [ebp+FFFFFD8C], eax
:4EB0673B 83BD8CFDFFFF2A          cmp dword ptr [ebp+FFFFFD8C], 0000002A
:4EB06742 751D                    jne 4EB06761


If you compare this code snippet with the last one, you'll notice that in first code snippet there were just the following instructions more: 
:4EB066D9 B801000000          mov eax, 00000001 <-- Ummm, Interesting!
:4EB066DE E935010000          jmp 4EB06818
In first code snippet, EAX is assigned the value 1. Then there's a JMP to :4EB06818
In second code snippet (Trial period expired), [ebp+FFFFFD8C] is compared to 2A and, if they are not equal it will jump to :4EB06761 
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:4EB06716(C), :4EB06742(C)
|
:4EB06761 33C0                xor eax, eax <-- Bad idea!
:4EB06763 E9B0000000          jmp 4EB06818


So, we have to assign the value 1 to EAX and also it should jump to :4EB06818
Open the file u32cfg.dll with your favourite hex editor (ultraedit for example) and modify the following bytes: 
 

:4EB0672F FF15F4A3B14E            Call dword ptr [4EB1A3F4]
:4EB06735 89858CFDFFFF            mov dword ptr [ebp+FFFFFD8C], eax

We search "FF15F4A3B14E89858CFD"    and we change it to:
         "B801000000E9B0000000"

So, we'll have this:

:4EB0672F B801000000          mov eax, 00000001     
:4EB06735 E9B0000000          jmp 4EB06818


Voilá! It's done.
Do I really have to remind you the purpose of this cracking tutorial?

NOTE FOR THE READER:
This essay could contain mistakes (maybe the author skipped some steps, maybe wrong memory addresses....etc) . The purpose is you could learn to "think like a cracker".
Good Luck! ;o) 
  
*ħħ========-*-*-*-* P E R S O N A L   G R E E T Z *-*-*-*-========ħħ*
    Dasavant, Niabi, r00ster, ZEncrakz, Azrael, Klimpong, Zor       
    Conde-Vampiro, Mac-Crack, Killer_P, ASTAGA, Harvestr, Iczelion    
    JosephCo, Carpathia, Taylor, Tapu, Ivanopulo, EgoistE, Torn@do,     
    JUANDA, Leoworld, ReKiem, Neural_N, Netking, Russ97,
	    Mr.Pink and of course all WKT Members ;o)



*------------------*
|WHISKEY KON TEKILA|
|Mr.WhiTe [WkT!99] |
|http://wkt.tsx.org|
|http://ecd.tsx.org|
*------------------*