Cracking Tutorial for Ulead Photo Express 2.0
 
 

Before we start, please read the Disclaimer section of this essay!
Coders from Photo Express, click here!

Target Program: Ulead Photo Express 2.0 
Description: Photo Express 2.0 is the new cool tool for expressing your creativity with pictures of your family and friends! Photo Express is the ultimate tool for adding that extra spark of life to your photos - it gives you the power to take ordinary, everyday pictures and turn them into high-quality works of art. With its guided workflow and intuitive interface, you'll be cranking out personalized birthday cards, calendars, and posters in no time at all!
Location: http://www.ulead.com (also published on many CDs - like Shareware Light)
If you prefer a FTP-Search, look for PE2T.EXE (22806016 Bytes).
Protections: Time Limited / NAG
Tools needed: - SoftICE 3.2x
  - Hex Editor (I like Hacker's View)
Ob duh: Do I really have to remind you all that by BUYING and NOT stealing the software you use will ensure that these software houses will continue to produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
 
If you're looking for cracks or serial numbers from these pages then your wasting your time, try to search elsewhere on the Web under Warez, Cracks, etc.
Level: (X)Beginner ( )Intermediate ( )Advanced ( )Expert

 
The first step to crack a program is usually to check what type of protection it has. Then we decide how we can crack that program. So, let's have a look at the dialog box that was displayed as we've started Photo Express:
 

Since we have to push the "Try More!"-Button to start the program, we call this a NAG-Screen. The next thing we've to decide is if it's a Standard-NAG or an Advanced-NAG. Since this tutorial is written for a Newbie, I don't think you've enough experience to decide what type of a NAG it is; so I just wanna tell you, that NAGs are mostly no Standard-NAGs (a dialog box with just a button like "I agree" - and a small icon and NO other images) - like this one.
As you might already have seen from the titel of the NAG, Photo Express has a second, it's real protection: it's Time Limited; so press the "Try More!"-Button and exit Photo Express. Before we crack the Time Limit, we should crack the NAG, so that we don't have to press the "Try More!"-Button any longer.
If you've already cracked some Advanced-NAGs you know what breakpoints in SoftICE you have to set now. If you haven't got this knowledge, it might help you reading Part 06: "Window Generating" of the cRACKER's n0TES.
Let's start the cracking session: Enter SoftICE by pressing CTRL-D (if you haven't changed the Standard-Keys) and set a BreakPoint on Execution to DialogBoxParamA (because it's a Advanced-NAG). After you've pressed F11 and then pressed the "Try More!"-Button, you'll get the following code: 

:4EB066AE FF15C0A3B14E CALL   [USER32!GetActiveWindow]
:4EB066B4 50 PUSH   EAX
:4EB066B5 6A66 PUSH   66
:4EB066B7 8B0D0C47B24E MOV    ECX,[4EB2470C]
:4EB066BC 51 PUSH   ECX
:4EB066BD FF15F4A3B14E CALL   [USER32!DialogBoxParamA]
:4EB066C3 89858CFDFFFF MOV    [EBP-0274],EAX
:4EB066C9 B801000000 MOV    EAX,00000001
:4EB066CE E935010000 JMP    4EB06808

So we can crack the NAG by simply removing the CALL to DialogBoxParamA? - Yes. So clear all Breakpoints by typing BC * and set a BPX to the DialogBoxParamA-Line and restart Photo Express. Then type "A" in SoftICE to assemble some instructions:

   NOP <ENTER>
   NOP <ENTER>
   NOP <ENTER>
   NOP <ENTER>
   NOP <ENTER>
   NOP <ENTER>
   <ENTER>

Now return to Windows (CTRL-D) and take a look at the result of your Memory-Crack for the NAG-Screen. The NAG-Crack is nearly done, we just have to patch the file that generated the NAG. SoftICE displayed the 'info' that we're in IPE20.EXE - as I couldn't find this in IPE20.EXE, I decided to use the knowledge I got from other Ulead cracks (U32CFG.DLL is *the* DLL).
So I searched for
B801000000E935010000 in U32CFG.DLL - and found it. So simply run HIEW and search for
 
   FF15F4A3B14E898590FDFFFF
 
and replace it with
 
   909090909090898590FDFFFF
 
Now we've removed the NAG-Screen - if we're in the Trial Period. The next step would be to remove the Time Limit - so set your system clock at least 30 days ahead. Now start Photo Express. The following dialog box will be displayed:

So far so good. We now have to crack it's *real* protection: the 30-day-Time-Limit. Since this DialogBox looks like the first one, we can set a BPX to DialogBoxParamA. So set a BPX to DialogBoxParamA and restart Photo Express. After you've pressed F11 and then pressed the "OK"-Button, you'll get the following code: 

:4EB0670F FF15C0A3B14E CALL   [USER32!GetActiveWindow]
:4EB06715 50 PUSH   EAX
:4EB06716 6A66 PUSH   66
:4EB06718 8B0D0C47B24E MOV    ECX,[4EB2470C]
:4EB0671E 51 PUSH   ECX
:4EB0671F FF15F4A3B14E CALL   [USER32!DialogBoxParamA]
:4EB06725 89858CFDFFFF MOV    [EBP-0274],EAX
:4EB0672B 83BD8CFDFFFF2A CMP    DWORD PTR [EBP-0274],2A
:4EB06732 751D JNZ    4EB06751

If you compare this code snippet with the last one, you'll recognize that in code snippet 1 there are just the following instructions more:

:4EB066C9 B801000000 MOV    EAX,00000001
:4EB066CE E935010000 JMP    4EB06808

Code snippet 1:
EAX is assigned the value 1. Then there's a JMP to 4EB06808.

Code snippet 2:
There's a JMP to 4EB06751 - if EBP-0274 isn't 2A, which means "Order now!"-Button pressed.
 
Well, what we could do now is really simple: We can just overwrite the DialogBoxParamA-Function from Code snippet 2 with:

MOV EAX,00000001
JMP 4EB06808

Then Photo Express won't expire. So set a BPX to DialogBoxParamA in SoftICE and restart Photo Express. Press F11 and you'll get the code of code snippet 2. Now set a BPX on the DialogBoxParam-Line and restart Photo Express.
After SoftICE pops-up at the DialogBoxParamA-Line, type "A" in SoftICE to assemble some instructions:

   MOV EAX,1 <ENTER>
   JMP 4EB06808 <ENTER>
   <ENTER>

SoftICE will then display the following code:

:4EB0670F FF15C0A3B14E CALL   [USER32!GetActiveWindow]
:4EB06715 50 PUSH   EAX
:4EB06716 6A66 PUSH   66
:4EB06718 8B0D0C47B24E MOV    ECX,[4EB2470C]
:4EB0671E 51 PUSH   ECX
:4EB0671F B801000000 MOV    EAX,00000001
:4EB06724 E9DF000000 JMP    4EB06808
:4EB06729 FFFF INVALID
:4EB0672B 83BD8CFDFFFF2A CMP    DWORD PTR [EBP-0274],2A
:4EB06732 751D JNZ    4EB06751

Now Photo Express will start as if it hasn't already expired. We just have to run HIEW and search for
 
   FF15F4A3B14E89858CFD
 
and replace it with
 
   B801000000E9DF000000
 
... Photo Express successfully cracked!

 
If you're USING Photo Express BEYOND it's FREE TRIAL PERIOD, then please BUY IT.


Coders from Photo Express: I don't think it's that clever just to set a flag if you're in the trial period or not. I would recommend to set the flag once to fake us crackers and once to check if we're in the trial period. Also I would erase some files, etc. if the trial period is over, so that it *isn't* possible to restore the trial period. BTW, Photo Express was a so called "5-Minutez-Crack" - I hope you'll understand that I'm trying to tell you that you should improve the protection of your mostly great programs.

Disclaimer: This essay is for educational purposes only. Any use, misuse or illegal activity is the sole responsibility of the reader! I take no responsibility of the usage of this information!
   

Info: Brand and product names are trademarks or registered trademarks of their respective holders.


Copyright 1998 by TORN@DO and The Immortal Descendants. All Rights Reserved.