November  1999
"Acdsee v2.42"
( 'follow the flow' )
Win Code Reversing
by The Snake
Code Reversing For Beginners
Program Details
Program Name: acdc32242.exe
Program Type: image utility
Program Location: Here
Program Size: 1.9MB
Tools Used:
 Softice V4.0 - Win'95 Debugger
W32Dasm V8.93 - Win'95 Dissembler
UnAspack v1.0 - Aspack Unpacker
Easy (x )  Medium ()  Hard ( )  Pro ( )

Acdsee v2.42
( 'Follow the flow'  )
Written by The Snake

The author of  SAcdsee v2.42 says :

    Slideshow display, autosize preview, read
    ahead/cache, show GIF animation, convert to
    BMP/JPG, ...and much more all for an affordable
    Image Viewing - As an image viewer, ACDSee
    stands unsurpassed in its ability to quickly decode
    and display images.
    Image Browsing - ACDSee is the best choice for
    browsing images in your file system.
    Image Enhancement - ACDSee provides a
    number of frequently used image manipulation
    functions including file conversion and image
About this protection system

 This program was packed with Aspack  v1.083.  This info can be found by using
 Gettype. (you can dn-ld it from my tools page).
 This tutorial will be in 2 parts :
 part 1 - how to unpack a program packed with Aspack v1.083 - using Unaspack.
 part 2 - how to crack SAcdsee V2.42.

 You can download  "Unaspack" by "bane" from my tools  page.
 The program save it's settings in the registy file :

  HKLM\Software\ACD Systems\Acdsee32\Code
  HKLM\Software\ACD Systems\Acdsee32\Name
The Essay

  Since i had the previous version of this great tool, i noticed that the file size of the new ver  is half of the zise
  of  the new version. This can be for only one reason, another packed program.
  To check it out, copy acdsee32.exe to the GETTYPE directory, and under "dos" type :
  gtw.exe acdsee32.exe /ze /p     we can see that the packer is Aspack  v1.083.

  At this point we have 2 choices, or to use ProcDump, or unaspack.  I like the second choice, i've found that
  unaspack strip the packer section from the final unpacked program. This also saves some bytes on your

 PART ONE - how to unpack the program using Unaspack :

 The first step will be to COPY acdsee32.exe to the directory of unasoack.
 Switch to DOS mode, and in Unaspack's directory type :
 unaspack.exe  acdsee32.exe and "Enter". you should get this 2 lines :
 acdsee32.exe - ASPack 1.08.03
 acdsee32.exe - nothing found.         ignore this message.
 Now, looking at the file size, can you see that it is bigger then the original ?
 Save the original files with other names, and copy the unpacked files back to acdsee directory.

 There is one more thing to be done, fire up ProcDump (you know where to get it),
 and choose the "pe editor", and choose "acdsee32.exe". We're in "PE structure editor",
 so, click on "sections" button and you'll  see that all sections caracteristics (right column) is C0000040.
 Click with mouse right-click on the .text  section, and  "edit section". At the bottom right corner, change it to
 "E0000020" and click "ok" 3  times.
  Now go to w32dasm and you can have a perfect dead listing of the program.

  PART TWO - how to crack acdsee32 v2.42

  Run the program. the registration screen can be found under Help/About ACDSee/Register now.
  Type in your name and any registration you like. Hit the "ok" button" and message pops up :
  "your name and registration code do not match".
  In the dead list, at the "string data references", you will find this message, but it will not help us any-how
  to get to where we want to come.  So, we are going to jump in the programs code, not too deap, but just
  enough to see what we're looking for :)

  We will create a break-point in Softice : "bpx getdlgitemtexta" and then hit the "ok" button.
  Softice will break total of 2 times with this, but we need the second one, after the program got our name
  and reg code. On the first break type "x" and "enter" and on the 2nd press 'F11' once to get back to the
  caller of this API. We are in acdsee32 code, seeing this code :

 :004595A7 8B0D10045000            mov ecx, dword ptr [00500410]
 :004595AD 8D54241C                lea edx, dword ptr [esp+1C]       ; we land here
 :004595B5 52                      push edx

    ----- snip  snip -----

 :004595CD FF151CF04D00            Call dword ptr [004DF01C]        ; call RegCreateKeyExA
 :004595D3 85C0                    test eax, eax
 :004595D5 7419                    je 004595F0

    ----- snip  snip -----

 :004595F0 8B2D18F04D00            mov ebp, dword ptr [004DF018]      ; RegSetValueExA
 :004595F6 8B1D48F34D00            mov ebx, dword ptr [004DF348]

    ----- snip  snip -----

 :00459655 50                      push eax
 :00459656 FF1500F04D00            Call dword ptr [004DF000]         ; RegCloseKey
 :0045965C A198045000              mov eax, dword ptr [00500498]
 :00459661 6A00                    push 00000000
 :00459663 3BF8                    cmp edi, eax                      ; eax = 1, edi=1 / 2
 :00459665 0F85D6000000            jne 00459741                ; jump - user pushed "cancel"
 :0045966B 8D8C24AC000000          lea ecx, dword ptr [esp+000000AC]
 :00459672 8D542424                lea edx, dword ptr [esp+24]

  From tracing the programs code that we see above, we can learn how the program open the registry,
  and puts our name and the code we entered in the programs entry in the registry file, all this is done
  even before the code we entered is beeing verified.
  Then, comes a "cmp" instruction, to decide if the user pushed the "cancel" buton or the "ok" to register.
  When the "ok" is pushed, the program will continue. Keep push "F10" untill the "jne" on location 00459685.
  We will now dissable the previous bpx ("bd 00"), and create a new one at the call "bpx 45967D".
  Here is the code :

 :00459676 51                      push ecx                          ; the code entered
 :00459677 52                      push edx                          ; the name entered
 :00459678 B900045000              mov ecx, 00500400
 :0045967D E8AEEDFFFF              call 00458430
 :00459682 83F801                  cmp eax, 00000001
 :00459685 7532                    jne 004596B9                      ; stop here !!
 :00459687 6A00                    push 00000000
 :00459689 68408F4500              push 00458F40
 :0045968E 56                      push esi

  If you take a look now at register EAX, you can see that it's highlighted, and contained  "00000000".
  This means that its value is beeing change  within the call at location 0045967D.
   Do we want to check what will happend if EAX was equal to 1 ??
  To force it to jump, type "r fl z" and type "x".   Well, this was the right guess at the right place :), we got the
  "Thank you..." message. Now, going again to the "about", we see that the program is not registered.
  We should look now for the appropriate location to put in EAX "1", so we can pass this check.
  go again to the registration screen, and when Softice will break on the call 00458430 press "F8" to
  go into this call.  I've cut the code, just to get to the important part, but you need to "F10" until you come over
  location 0045848C.  We can see that this call is beeing called from 2 locations, this can be a good
  sign. You ask why ?  Maybe one for registering and one for the "About" ???

   * Referenced by a CALL at Addresses:
 |:00458641   , :0045967D
 :00458430 83EC24                  sub esp, 00000024
 :00458433 53                      push ebx
 :00458434 55                      push ebp
 :00458435 56                      push esi
 :00458436 8B742434                mov esi, dword ptr [esp+34]
 :0045843A 57                      push edi
 :0045843B 8BF9                    mov edi, ecx
 :0045843D 56                      push esi
 :0045843E 897C2414                mov dword ptr [esp+14], edi
 :00458442 E8E91E0000              call 0045A330
 :00458447 83C404                  add esp, 00000004
 :0045844A 85C0                    test eax, eax
 :0045844C 750C                    jne 0045845A                         ;  < jump >

    ----- snip  snip -----

 :0045845A 8D442414                lea eax, dword ptr [esp+14]
 :0045845E 6A01                    push 00000001
 :00458460 50                      push eax
 :00458461 56                      push esi
 :00458462 E809220000              call 0045A670
 :00458467 8B4720                  mov eax, dword ptr [edi+20]
 :0045846A 83C40C                  add esp, 0000000C
 :0045846D 80382D                  cmp byte ptr [eax], 2D
 :00458470 0F859A000000            jne 00458510                          ;  < no jump >
 :00458476 8B4C2440                mov ecx, dword ptr [esp+40]

    ----- snip  snip -----

 :00458482 E8E91E0000              call 0045A370
 :00458487 83C410                  add esp, 00000010
 :0045848A 85C0                    test eax, eax
 :0045848C 740F                    je 0045849D              ;  < jump >  stop here
 :0045848E 5F                      pop edi
 :0045848F 5E                      pop esi
 :00458490 5D                      pop ebp
 :00458491 B801000000              mov eax, 00000001
 :00458496 5B                      pop ebx
 :00458497 83C424                  add esp, 00000024
 :0045849A C20C00                  ret 000C

 You are now on location 45848C, and the program is about to jump. Take a look 4 lines forward, can you
  see what will happened if the program will not jump ?  EAX will get the value of "1" and we will "ret" with "1"
  in EAX  from this routine, this is what we looked for.  Delete the previous bpx "bc 01" and set "bpx 45848C".
  Type "r fl z" and "x", SI break again on our  je 0045849D. Type "r fl z" again and "x".
  Thats it, "Thank you...". Go now to the "Help/Abaout".  Si break at the same place. We were right, this is
  the place to patch the program.

  Job done..
The Patches

 Load up fguard32.dll into your Hex-Editor ( I use hexWorkshop-32).


REMEMBER, i'm doing my cracks as a hobby and challenge, so please, if you
like this utility and want to keep using it, support the author and pay for it.
Final Notes

 My thanks and gratitude goes to:-

 The Sandman for all what he is doing for us, newbies.

 Rhayader for helping me with Reverse Code Engineering and useful tips

 Alpine, Lord Soth, Volatility and Torn@do for my basic knowledge in packed programs

Essay by:   The snake
Page Created: 17th November 1999