|ESTUDIO COLECTIVO DE DESPROTECCIONES|
|WKT Tutorialz Site|
|Program||Ulead PhotoImpact v4.12||W95 / W98 / NT|
|Protections||Trial / Nag|
|Level||1) Beginner, 2) Intermediate, 3) Advanced, 4) Profesional, 5) Expert|
|Tools||SoftICE v3.25, W32Dasm v8.9, UltraEdit v6.10a|
|Target||How to avoid NagScreens and a 30 day time limit|
This is a very good program to manipulate your image files.
With some cool features. Try it!
This tutorial was originally written in Spanish
and this translation could be inaccurate.
|Here we go!|
Start the program and you'll notice it's a 30 day trial scheme,
without any disabled options.
* Reference To: USER32.DialogBoxParamA, Ord:008Eh | :4EB066CD FF15F4A3B14E CALL DWORD PTR [4EB1A3F4] :4EB066D3 898590FDFFFF MOV DWORD PTR [EBP+FFFFFD90], EAX * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:4EB066A2(C), :4EB066AB(C) | * Possible Reference to Dialog: DialogID_0001 | :4EB066D9 B801000000 MOV EAX, 00000001 :4EB066DE E935010000 JMP 4EB06818
To avoid the Nag Screen just change:
:4EB066CD FF15F4A3B14E CALL DWORD PTR [4EB1A3F4] To :4EB066CD 909090909090 NOP instruction is 0x90. It means "do nothing".
|Now, the 30 days time limit.|
So set your system clock at least 30 days ahead. Now start
* Reference To: USER32.GetActiveWindow, Ord:00D5h | :4EB0671F FF15C0A3B14E CALL DWORD PTR [4EB1A3C0] :4EB06725 50 PUSH EAX * Possible Reference to Dialog: DialogID_0066 | :4EB06726 6A66 PUSH 00000066 :4EB06728 8B0D0C47B24E MOV ECX, DWORD PTR [4EB2470C] :4EB0672E 51 PUSH ECX * Reference To: USER32.DialogBoxParamA, Ord:008Eh | :4EB0672F FF15F4A3B14E CALL DWORD PTR [4EB1A3F4] :4EB06735 89858CFDFFFF MOV DWORD PTR [EBP+FFFFFD8C], EAX :4EB0673B 83BD8CFDFFFF2A CMP DWORD PTR [EBP+FFFFFD8C], 0000002A :4EB06742 751D JNZ 4EB06761
If you compare this code snippet with the last one, you'll notice that in the first code snippet there were just the following instructions more:
:4EB066D9 B801000000 MOV EAX, 00000001 <-- Interesting! :4EB066DE E935010000 JMP 4EB06818
In the first code snippet, EAX is assigned the value 1 and
then there is a JMP to :4EB06818.
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:4EB06716(C), :4EB06742(C) | :4EB06761 33C0 XOR EAX, EAX <-- Bad idea! :4EB06763 E9B0000000 JMP 4EB06818
So, we have to assign the value 1 to EAX and also it should jump to :4EB06818. Open the file u32cfg.dll with your favourite hex editor (UltraEdit for example) and modify the following bytes:
:4EB0672F FF15F4A3B14E CALL DWORD PTR [4EB1A3F4] :4EB06735 89858CFDFFFF MOV DWORD PTR [EBP+FFFFFD8C], EAX We search "FF15F4A3B14E89858CFD" and we change it to: "B801000000E9B0000000" So, we'll have this: :4EB0672F B801000000 MOV EAX, 00000001 :4EB06735 E9B0000000 JMP 4EB06818
Voilá! It's done.
This essay could contain mistakes (maybe the author skipped
some steps, maybe wrong memory addresses....etc) . The purpose
is that you should learn to "think like a cracker".