ACDsee v3.1 - Tutorial by Flu[X]

"Well after implementing pretty good protections in their previous versions, ACDSee have now seemingly gotten tired of trying to beat the crackers, instead they are giving away a very good application in return for some inexpensive data, one hopes it will NOT be used for some sort of marketing enterprise :-), as most of us like to travel anonymously on the web and use good software legally, the improvements Flu[X] suggests might well be very useful" "Slightly edited by CrackZ".

Material's Required

Brain & W32Dasm (removing an Internet check).

This program offers free usage....IF you connect to their web site at least every 30 days. Now this is REALLY annoying!, first things first, lets be *OFFLINE* and try to register it, we don't want them to get our information after all. OK go through the steps... .. it says "Error connecting to server...". We have to eliminate this check. It also has a 30 day check somewhere, we have to kill this too.

Lets disassemble it with W32Dasm (acdsee.exe). You will then load string listings and find "You have %d sponsored days remaining...". You can think of that %d as a variable that gets substituted for the last time you connected. Lets go there, we find the following :-

* Reference To: InTouchClient.?SponsoredMode_GetDaysLeft@InTouchClient@@QAEHXZ, Ord:0058h
|
:0043D7F3 CALL DWORD PTR [004D8258]
:0043D7F9 MOV ECX, D, [004F4324]
:0043D7FF PUSH EAX

* Possible Reference to String Resource ID=00263: "You have %d sponsored days remaining before you must connect"

Wait a second, isn't ACDsee's Internet System called InTouch?, we notice it calls this .dll and then displays the days. Sounds like our point of attack should be this dll. Lets disassemble it with W32Dasm (InTouchClient.dll). Again do a string seach you will come up with this interesting one "The ACD InTouch server could not be contacted...". Lets go to this, we find :-

:10007A48 MOV ESI, ECX
:10007A4A JE 10007A77 <-- this is the jump we modify
:10007A4C MOV EAX, DWORD PTR [ESI+08]
:10007A4F PUSH 1
:10007A51 PUSH EAX

* Reference To: USER32.KillTimer, Ord:0199h

:10007A52 CALL DWORD PTR [100202C8]
:10007A58 MOV ECX, DWORD PTR [ESI+08]
:10007A5B MOV EDX, DWORD PTR [10026E58]
:10007A61 PUSH 30

* Possible Reference to String Resource ID=00196: "ACD In Touch Service" <-- take a Look..familiar?

:10007A63 PUSH C4

* Possible Reference to String Resource ID=00596: "The ACD InTouch server could not be contacted.

:10007A68 PUSH 254
:10007A6D PUSH ECX
:10007A6E PUSH EDX
:10007A6F CALL 1000A680
:10007A74 ADD ESP, 14

* Referenced by a (U)nconditional or (C)onditional Jump at Address: <-look here!

:10007A77 MOV EAX, DWORD PTR [ESI+08]

* Possible Reference to Dialog: DialogID_0414

:10007A7A PUSH 414
:10007A7F PUSH 0
:10007A81 PUSH 472
:10007A86 PUSH EAX

OK, we notice how we can skip the message if we modify the jump at address 10007A4A, so lets do this, change the bytes to a JMP. Now lets run the application after, it doesn't find the server but we haven't skipped past the server check. However we notice it drops us off again at the dialog right before the server check. Now, lets get back to that code and examine it in more detail. This is a small portion of the code above...read the comments :-

:10007A77 MOV EAX, DWORD PTR [ESI+08]

* Possible Reference to Dialog: DialogID_0414 <-- A dialog.

:10007A7A PUSH 414 <-- I wonder what this is
:10007A7F PUSH 0 <-- See beginning of the disassembly
:10007A81 PUSH 472
:10007A86 PUSH EAX

Lets look :-

Name: DialogID_0414, # of Controls=008, Caption:"InTouch", ClassName:""
     001 - ControlID:FFFF, Control Class:"STATIC" Control Text:"" 
     002 - ControlID:0449, Control Class:"STATIC" Control Text:"Internet Connection Settings" 
     003 - ControlID:043E, Control Class:"BUTTON" Control Text:"Access the Internet via a &dial-up connection" 
     004 - ControlID:043F, Control Class:"BUTTON" Control Text:"Access the Internet via a &LAN" 
     005 - ControlID:0444, Control Class:"BUTTON" Control Text:"LAN &settings..."

This is the window JUST before the attempt to connect to the server, meaning the previous CODE loads that dialog. Continue to browse the Dialog References, look what else we find :-

Name: DialogID_0423, # of Controls=007, Caption:"Setup", ClassName:""
     001 - ControlID:0449, Control Class:"STATIC" Control Text:"Sponsored Mode Activated" 
     002 - ControlID:FFFF, Control Class:"STATIC" Control Text:"" 
     003 - ControlID:FFFF, Control Class:"STATIC" Control Text:"You are now ready to use this software in Sponsored Use Mode." 
     004 - ControlID:03F2, Control Class:"STATIC" Control Text:"You sponsorship must be renewed in %d days." 
     005 - ControlID:FFFF, Control Class:"STATIC" Control Text:"Press <Finish> to complete this wizard and start using the software." 
     006 - ControlID:FFFF, Control Class:"STATIC" Control Text:"" 
     007 - ControlID:03F0, Control Class:"STATIC" Control Text:""

Now are you thinking what I am thinking?. Of course you are, but just in case your not, what we will do is modify the code that loads The Internet Connection Settings to load the Success Dialog, we notice this is Dialog 423, so lets take a look a the code again :-

* Possible Reference to Dialog: DialogID_0414 <-- A dialog.

:10007A7A PUSH 414 <-- Internet Settings

OK, we notice how the program pushes the dialog it want's to load onto the stack, so we will change that to the Success dialog, i.e. PUSH 414h TO PUSH 423h. Now for that 30 day check, lets take a look at the exported functions of this dll, we find :-

Addr:10006410 Ord: 89 (0059h) Name: ?SponsoredMode_GetDaysLeft@InTouchClient@@QAEHXZ
Addr:10006450 Ord: 90 (005Ah) Name: ?SponsoredMode_ShowExpiredBox@InTouchClient@@QAEHPAUHWND__@@@Z
Addr:10006430 Ord: 91 (005Bh) Name: ?SponsoredMode_ShowWarningBox@InTouchClient@@QAEHPAUHWND__@@@Z

SponsoredMode_GetDaysLeft, doesn't that just grab your attention, lets do a string search for "SponsoredMode_GetDaysLeft", we get this :-

Exported fn(): ?SponsoredMode_GetDaysLeft@InTouchClient@@QAEHXZ - Ord:0059h

:10006410 PUSH ESI
:10006411 MOV ESI, ECX

* Reference To: InTouchClient.?DaysSinceLastConnection@InTouchClient@@QAEHXZ

:10006413 CALL 10003860 <-- call get DaysSince function (returns days since in EAX)
:10006418 MOV ESI, DWORD PTR [ESI+00000414]
:1000641E MOV ECX, EAX <-- ECX now equals dayssince
:10006420 MOV EAX, ESI <-- ESI is 30 so now EAX is 30
:10006422 SUB EAX, ECX <-- EAXx=30-days left
:10006424 JS 1000642A <-- if EAX<=0 then goto make EAX zero
:10006426 CMP EAX, ESI <-- if EAX is between 1 and 30 continue (you have days left)
:10006428 JLE 1000642C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10006424(C)

:1000642A XOR EAX, EAX

Look at this. It calls InTouchClient.?DaysSinceLastConnection (which obviously gets the last time we connected to the server, and we are supposed to every 30 days), we know something has to compare the current days left with 30. LOOK at the comented code now. Now we know that EAX holds the days left and gets returned, so if we somehow set it so EAX ALWAYS is 30 we will be all set. So we change he code from :-

CALL 10003860
MOV ESI, DWORD PTR [ESI+00000414]
MOV ECX, EAX
MOV EAX, ESI
SUB EAX, ECX
JS 1000642A
CMP EAX, ESI
JLE 1000642C
XOR EAX, EAX
POP ESI
RET

to :-

CALL 10003860
MOV ESI, DWORD PTR [ESI+00000414]
MOV ECX, EAX
MOV EAX, ESI
SUB EAX, ECX
MOV EAX, 1E
NOP
NOP
NOP
POP ESI
RET

Now we can again try to setup the Application for Sponsored mode. It works. You have successfully cracked ACDsee v3.1 by de-activating the internet checks.

*REMEMBER STAY OFFLINE WHEN YOU TRY TO FIRST USE SPONSORED MODE*

Flu[X].

Miscellaneous Papers Return to Main Index

© 1998, 1999, 2000 Hosted by CrackZ, Tutorial by Flu[X] 12th November 2000.